Go to listing page

Raspberry Robin Dupes Researchers With Fake and Real Payloads

Raspberry Robin Dupes Researchers With Fake and Real Payloads
Cybercriminals behind the Raspberry Robin worm appear to be casting around for new methods to evade detection during the deployment. This time, the malware is hiding in multiple layers of obfuscation, as well as delivering a fake payload to bewilder researchers.

What’s happening?

  • From October to November, Raspberry Robin has targeted telecommunication service providers and government systems in Argentina, Australia, Mexico, Croatia, Italy, Brazil, France, India, and Colombia. 
  • Experts suspect that the malware is just testing the waters by dropping both fake and real payloads, depending upon the infection environment.

Unraveling the ‘fake’ strategy

According to Trend Micro researchers, the malware spreads to the targeted systems via an infected USB. It uses social engineering to trick users to click the file and spreads to other systems.
  • The main malware routine contains both real and fake payloads. When the routine detects sandbox and analysis solutions, it loads the fake payload - an adware named BrowserAssistant.
  • The fake payload features two additional layers. It attempts to read the Windows registry to find infection markers upon execution and further proceeds to gather basic system information. These steps are implemented to trick the analyst into believing this was the final payload.

However, if valid target systems are detected, the real Raspberry Robin malware payload is loaded.

The ‘real’ strategy

The real payload is packed with 10 layers of obfuscation and features an embedded custom Tor client for internal communication.
  • It uses privilege escalation techniques to gain administrative privileges and drops a copy of itself in a system folder.
  • Next, it uses a UAC bypass technique to execute the dropped files as administrator. 
  • Once ready, the malware attempts to connect to the hard-coded Tor addresses to facilitate the exchange of information to its operators.

The recent additions in Raspberry Robin's TTPs have similarities to LockBit, which indicates these two projects could be associated with each other.

The takeaway

  • Though the dynamics and objectives of operators behind Raspberry Robin are still not much clear, they are usually seen selling initial access to ransomware gangs and malware operators.
  • Can it be said that the actors behind are planning something big? Nonetheless, Windows users must be vigilant about the USB drives that they choose to insert into their systems.
Cyware Publisher

Publisher

Cyware