Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Since May 2022, eSentire’s Threat Response Unit (TRU) has observed 11 cases of Raspberry Robin infections. Although the initial access vector is an infected USB drive, however it’s unclear how the USB drives were initially infected. Raspberry Robin hosts its payloads on compromised QNAP servers with the malicious files being stored on USB drives as shortcuts.
This malware analysis delves deeper into the technical details of how the Raspberry Robin malware operates and our security recommendations to protect your organization from being exploited.
Deutsche Telekom CERT has indicated that they conducted interviews with infected users who used the USB drives in a printing store prior to the USBs infection. It is believed that someone infected the printers at these stores. This serves as a good reminder that USBs should be avoided in corporate environments, and if used outside your network, they should be ‘scrubbed’ prior to inserting the drive back into a corporate endpoint.
Raspberry Robin hosts its payloads on compromised QNAP servers from which they derived a second name “QNAPWorm”. The malicious files are stored on the USB drives as shortcuts (.LNK) files with the command such as "C:\WINDOWS\system32\cmd.exe" /c type CObq.LOG or C:\WINDOWS\system32\CMD.EXE" /v /rTyPe biLj.]dAt|cMD with additional secondary files containing extensions such as .chk, .rs, .usb, .exi, .qz, .bin, .dat, .ini, .ico, .log
The file with extensions would have the contents like the one shown in Figure 1.
After being injected onto the computer, the worm spawns cmd.exe to run the malicious files with the extensions mentioned above.
We have observed the following command (the second parameter contains the name of the LNK file stored on the USB drive):
After that, two processes are spawned:
Raspberry Robin spawns msiexec.exe to download and run a malicious DLL (Dynamic Link Library) file.
The malicious msiexec.exe executions that we have observed so far:
As you can see, the patterns are very similar. The infected machine reaches out to the infected QNAP server over port 8080 and sends along the username and computer name of the affected user with the <computer_name>?<username> or <computer_name>=<username> patterns.
Raspberry Robin leverages rundll32.exe followed by shell32.dll and calls the ShellExec_RunDLL or ShellExec_RunDLLA functions to execute the DLL via the processes such as odbcconf.exe, msiexec.exe and control.exe.
In August 2022, TRU has observed Raspberry Robin delivering SocGholish downloader. It is worth nothing that on May 2022, Microsoft released a blog post mentioning Raspberry Robin dropping SocGholish and the ties to the infamous cybercrime group Evil Corp which first appeared in 2009 and is operated internationally and led by a Russian cybercriminal Maksim V. Yakubets.
The incident tree generated by Microsoft Defender ATP is shown in Figure 3.
The DLL retrieved from the compromised QNAP server (6da9212d45c2a06bb2dd76dacff2d7bf) is dropped onto C:\ProgramData\
Approximately 7 seconds later, the SocGholish JavaScript Is dropped onto C:\Users\AppData\Local\Temp\<random_name>.js folder (Figure 4). The SocGholish JS script is spawned using the technique mentioned before for running the DLLs.
The command used to run the JS file is:
SocGholish would proceed with discovery and enumeration commands and output them to a rad<random_five_characters>.tmp file under C:\Users\<username>\AppData\Local\Temp\rad<random_five_character>.tmp.
The commands ran:
The gathered information would be sent to SocGholish C2 server and, in the worst-case scenario, the ransomware is executed at the last stage. Previously known ransomware used in SocGholish infections are DoppelPaymer, LockBit 3.0, WastedLocker. All mentioned ransomwares are used by Evil Corp.
The dropped DLL (6da9212d45c2a06bb2dd76dacff2d7bf) is a 32-bit executable written in C++ (1.59 MB file size). The compilation timestamp is August 26, 2022, which is the date of when the infection happened. The GUID within the debugging artifacts is 90FD1E65-DCC7-4851-ACCB-1F7089954836. By analyzing the entropy with PortEx (Figure 5) we can assume that the payload is packed.
The payload contains two DLL binaries encrypted within. The first DLL is decrypted via the XOR and series of decryption using divisions and modulus of 256.
Before applying another layer of decryption which resembles RC4 (Figure 7), the payload would call VirtualAlloc to allocate the memory for the second DLL payload (Figure 8).
With the second call to VirtualAlloc, we can see that the second DLL payload has been successfully decrypted at 0x005F0000 address.
The second DLL is approximately 9 KB in size (a672d61d2e0a2047411ecbc3aa0fc059). The secondary payload contains some interesting string decryption algorithms.
The payload takes the first 20 bytes of the ciphertext (byte_) and then substitutes with byte_403070 which is 4c7d8fd183daca4438a2ca1d2202ff48d93038 in hex bytes.
The decrypted API calls:
Immediately, we observed the LdrLoadDll API call and the relative jump opcode 0xE9. The payload attempts to hook NTDLL.dll!LdrLoadDll by overwriting it with the relative jump opcode (Figure 11).
Within the same function we are seeing the mention of snxhk.dll, which belongs to Avast “Hook Library” (Figure 12). The same technique was described in the Dridex analysis by Vitali Kremez – the snxhk.dll library is used to monitor the LdrLoadDll API calls. Security researchers at IBM also found the similarities between Dridex and Raspberry Robin loaders.
Finally, the second payload is responsible for decrypting the third and final payload with VirtualProtect and VirtualAlloc functions.
The final payload is 4 KB in size (db73f38ca969609d08a016da0deb8276). The final payload is responsible for communicating with the C2 server and sending the host information (Figure 13).
Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against Raspberry Robin and SocGholish malware:
While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by threat actor(s) requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Name | Indicators |
C2 | hxxp://k6j[.]pw |
C2 | hxxp://zk4[.]me |
C2 | hxxp://0x9[.]biz |
C2 | hxxp://0t[.]yt |
C2 | hxxp://5qw[.]pw |
C2 | hxxp://l9b[.]org |
C2 | 47.24.139[.]111 |
Second DLL payload | a672d61d2e0a2047411ecbc3aa0fc059 |
Third DLL payload | db73f38ca969609d08a016da0deb8276 |
SocGholish JS file | 7115951e5ca39e17236a4a359812c4e4ec958939 |
Initial packed Raspberry Robin DLL (ff_wmv9.dll) | 6da9212d45c2a06bb2dd76dacff2d7bf |
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.