Raspberry Robin Worm drops malware that confuses researchers

Raspberry Robin malware has begun to play tricks on researchers by dropping a false payload in an attempt to fool them and avoid detection when it finds it being used within debugging and sandboxes.

Trend Micro researchers discovered this new tactic after observing Raspberry Robin being used in attacks on government and telecommunications service providers.

Raspberry Robin, a ransomware-gang and malware operator that looks like a worm, sells access to infected networks to ransomware operators. This malware has previously been associated with as well as the as well as Bumblebee and IcedID payload distribution.

Malicious USB drives infect targeted systems with malware.

The shortcut executes when it is run. It uses the Windows executable ‘MSIExec.exe.exe’ to download malicious MSI installers that install the Raspberry Robin payloads.

Typical Raspberry Robin infection chain

(Trend Micro)

Double trouble

To hide the malware’s code from security experts and antivirus software, it is highly obfuscated. It has multiple layers that contain hard-coded data for unlocking each layer.

Raspberry Robin now drops two payloads to make it harder for security analysts to identify the malware. These payloads depend on whether it’s being executed on different devices.

The loader will drop a false payload if it detects that it’s running in a sandbox. It will then launch the Raspberry Robin malware.

Packing layers diagram

(Trend Micro)

The fake payload includes two layers: a shellcode with embedded PE files and a file with the PE signature and MZ header removed.

It executes and attempts to scan the Windows registry for infection indicators. Then it gathers basic information about your system.

The fake payload then attempts to install and run an adware called ‘BrowserAssistant’ in order to fool the analyst into thinking that this was the last payload.

However, on valid systems the Raspberry Robin malware payload can be loaded. It includes an embedded Tor client that allows for internal communications.

The payload tricksery is not enough to make it easy to understand. There are ten layers of opaque payloads, which makes it difficult for analysts and payload managers alike.

It checks that the user is administrator upon launch. If it is, it then uses the’ privilege escalation method to obtain administrative privileges.

It also modifies registry to ensure persistence between reboots. The malware uses two methods (admin and not).

Registry modifications

(Trend Micro)

“After dropping an copy of itself it executes that dropped copy as Administrator using UAC (User account Control bypass technique).” the privilege escalation procedure.

It implements a variant of the technique ucmDccwCOMMethod from UACMe and thus abuses the built-in Windows AutoElevate backdoor.

Once the malware is ready to go, it attempts to establish a channel of information with the operators by connecting to hard-coded Tor addresses.

Tor uses standard Windows file names like “dllhost.exe”, “regsvr32.exe” and “rundll32.exe”.

Session 0 is where the main program runs, which is a specialized session of Windows reserved for applications and services that do not require or should not have user interaction.

Raspberry Robin copies itself onto attached USB drives as part of the infection process. This will allow it to infect other systems.

LockBit ransomware has similarities

Trend Micro analysts believe that Raspberry Robin’s recent TTPs (tactics techniques and procedures), bear some similarities to LockBit. This could indicate that there may be a link between the two projects.

The two main similarities are using the ICM calibration technique for privilege escalation and the ‘TreadHideFromDebugger’ tool for anti-debugging.

These findings, while notable, don’t prove a link between them. However, they could be used as a guide for future research.

Trend Micro concludes that the Raspberry Robin campaign currently under way is more of an evaluation effort than a first step to actual attacks.