eSentire Threat Intelligence Malware Analysis: Raspberry Robin

Since May 2022, eSentire’s Threat Response Unit (TRU) has observed 11 cases of Raspberry Robin infections. Although the initial access vector is an infected USB drive, however it’s unclear how the USB drives were initially infected. Raspberry Robin hosts its payloads on compromised QNAP servers with the malicious files being stored on USB drives as shortcuts.

This malware analysis delves deeper into the technical details of how the Raspberry Robin malware operates and our security recommendations to protect your organization from being exploited.

Case Study

Deutsche Telekom CERT has indicated that they conducted interviews with infected users who used the USB drives in a printing store prior to the USBs infection. It is believed that someone infected the printers at these stores. This serves as a good reminder that USBs should be avoided in corporate environments, and if used outside your network, they should be ‘scrubbed’ prior to inserting the drive back into a corporate endpoint.

Raspberry Robin hosts its payloads on compromised QNAP servers from which they derived a second name “QNAPWorm”. The malicious files are stored on the USB drives as shortcuts (.LNK) files with the command such as "C:\WINDOWS\system32\cmd.exe" /c type CObq.LOG or C:\WINDOWS\system32\CMD.EXE" /v /rTyPe biLj.]dAt|cMD with additional secondary files containing extensions such as .chk, .rs, .usb, .exi, .qz, .bin, .dat, .ini, .ico, .log

The file with extensions would have the contents like the one shown in Figure 1.

After being injected onto the computer, the worm spawns cmd.exe to run the malicious files with the extensions mentioned above.

We have observed the following command (the second parameter contains the name of the LNK file stored on the USB drive):

• EXpLOrER KingsTON
• exPLoreR "Unità USB"
• EXPLoreR "UDISK 2.0"
• eXPLOreR "Removable Disk"
• eXploRER TOSHIBA
• eXplorEr yered
• eXpLoreR "Disco extraíble"

After that, two processes are spawned:

• explorer.exe containing the commands mentioned in Figure 1
• msiexec.exe

Raspberry Robin spawns msiexec.exe to download and run a malicious DLL (Dynamic Link Library) file.

The malicious msiexec.exe executions that we have observed so far:

As you can see, the patterns are very similar. The infected machine reaches out to the infected QNAP server over port 8080 and sends along the username and computer name of the affected user with the <computer_name>?<username> or <computer_name>=<username> patterns.

Raspberry Robin leverages rundll32.exe followed by shell32.dll and calls the ShellExec_RunDLL or ShellExec_RunDLLA functions to execute the DLL via the processes such as odbcconf.exe, msiexec.exe and control.exe.

Raspberry Robin Infection and Analysis

In August 2022, TRU has observed Raspberry Robin delivering SocGholish downloader. It is worth nothing that on May 2022, Microsoft released a blog post mentioning Raspberry Robin dropping SocGholish and the ties to the infamous cybercrime group Evil Corp which first appeared in 2009 and is operated internationally and led by a Russian cybercriminal Maksim V. Yakubets.

The incident tree generated by Microsoft Defender ATP is shown in Figure 3.

The DLL retrieved from the compromised QNAP server (6da9212d45c2a06bb2dd76dacff2d7bf) is dropped onto C:\ProgramData\\taquz.xsd folder.

Approximately 7 seconds later, the SocGholish JavaScript Is dropped onto C:\Users\AppData\Local\Temp\<random_name>.js folder (Figure 4). The SocGholish JS script is spawned using the technique mentioned before for running the DLLs.

The command used to run the JS file is:

• rundll32.exe shell32 ShellExec_RunDLLA wscript <malicious_file>.js

SocGholish would proceed with discovery and enumeration commands and output them to a rad<random_five_characters>.tmp file under C:\Users\<username>\AppData\Local\Temp\rad<random_five_character>.tmp.

The commands ran:

• SELECT * FROM AntiVirusProduct (leveraging Windows Management Instrumentation (WMI), enumerating the Antivirus products)
• whoami.exe whoami /all (discovery of the user or owner)

The gathered information would be sent to SocGholish C2 server and, in the worst-case scenario, the ransomware is executed at the last stage. Previously known ransomware used in SocGholish infections are DoppelPaymer, LockBit 3.0, WastedLocker. All mentioned ransomwares are used by Evil Corp.

The dropped DLL (6da9212d45c2a06bb2dd76dacff2d7bf) is a 32-bit executable written in C++ (1.59 MB file size). The compilation timestamp is August 26, 2022, which is the date of when the infection happened. The GUID within the debugging artifacts is 90FD1E65-DCC7-4851-ACCB-1F7089954836. By analyzing the entropy with PortEx (Figure 5) we can assume that the payload is packed.

The payload contains two DLL binaries encrypted within. The first DLL is decrypted via the XOR and series of decryption using divisions and modulus of 256.

Before applying another layer of decryption which resembles RC4 (Figure 7), the payload would call VirtualAlloc to allocate the memory for the second DLL payload (Figure 8).

With the second call to VirtualAlloc, we can see that the second DLL payload has been successfully decrypted at 0x005F0000 address.

The second DLL is approximately 9 KB in size (a672d61d2e0a2047411ecbc3aa0fc059). The secondary payload contains some interesting string decryption algorithms.

The payload takes the first 20 bytes of the ciphertext (byte_) and then substitutes with byte_403070 which is 4c7d8fd183daca4438a2ca1d2202ff48d93038 in hex bytes.

The decrypted API calls:

• LoadLibraryA
• GetProcAddress
• VirtualAlloc
• VirtualProtect

Immediately, we observed the LdrLoadDll API call and the relative jump opcode 0xE9. The payload attempts to hook NTDLL.dll!LdrLoadDll by overwriting it with the relative jump opcode (Figure 11).

Within the same function we are seeing the mention of snxhk.dll, which belongs to Avast “Hook Library” (Figure 12). The same technique was described in the Dridex analysis by Vitali Kremez – the snxhk.dll library is used to monitor the LdrLoadDll API calls. Security researchers at IBM also found the similarities between Dridex and Raspberry Robin loaders.

Finally, the second payload is responsible for decrypting the third and final payload with VirtualProtect and VirtualAlloc functions.

The final payload is 4 KB in size (db73f38ca969609d08a016da0deb8276). The final payload is responsible for communicating with the C2 server and sending the host information (Figure 13).

How eSentire is Responding

Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:

• Implementing threat detections to identify malicious command execution and exploitation attempts and ensure that eSentire has visibility and detections are in place across eSentire MDR for Endpoint and MDR for Network.

• Performing global threat hunts for indicators associated with Raspberry Robin and SocGholish.

Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against Raspberry Robin and SocGholish malware:

• Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
• Using Phishing and Security Awareness Training (PSAT), educate employees on how to protect USB devices from worms and viruses, not to plug unknown USB devices in the computer, and on how to recognize USB threats.
• Patch any external-facing devices and applications on an ongoing basis. Conduct regular vulnerability scans to ensure your team is staying on top of patching and identifying all known vulnerabilities.

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by threat actor(s) requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

• https://twitter.com/DTCERT/status/1565664874633564162?s=20&t=J_NB8hq40eDqq_QF8Qsp2w
• https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks
• https://lolbas-project.github.io/lolbas/Libraries/Shell32/
• https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates
• https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
• https://malpedia.caad.fkie.fraunhofer.de/actor/evil_corp
• https://www.mandiant.com/resources/blog/head-fake-tackling-disruptive-ransomware-attacks
• https://www.tetradefense.com/incident-response-services/cause-and-effect-wastedlocker-ransomware-analysis/
• https://www.vkremez.com/2018/09/lets-learn-dissecting-dridex-banking.html
• https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/

Indicators of Compromise

MITRE ATT&CK