Raspberry Robin Returns: New Malware Marketing campaign Spreading By way of WSF Recordsdata

Apr 10, 2024NewsroomCyber Crime / Malvertising

Cybersecurity researchers have found a brand new Raspberry Robin marketing campaign wave that propagates the malware by way of malicious Home windows Script Recordsdata (WSFs) since March 2024.

“Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors,” HP Wolf Safety mentioned in a report shared with The Hacker Information.

Raspberry Robin, additionally referred to as QNAP worm, was first noticed in September 2021 that has since advanced right into a downloader for numerous different payloads lately, reminiscent of SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and likewise serving as a precursor for ransomware.

Cybersecurity

Whereas the malware was initially distributed by the use of USB gadgets containing LNK recordsdata that retrieved the payload from a compromised QNAP system, it has since adopted different strategies reminiscent of social engineering and malvertising.

It is attributed to an rising risk cluster tracked by Microsoft as Storm-0856, which has hyperlinks to the broader cybercrime ecosystem comprising teams like Evil Corp, Silence, and TA505.

The newest distribution vector entails the usage of WSF recordsdata which might be supplied for obtain through numerous domains and subdomains.

It is at present not clear how the attackers are directing victims to those URLs, though it is suspected that it may very well be both through spam or malvertising campaigns.

The closely obfuscated WSF file features as a downloader to retrieve the primary DLL payload from a distant server utilizing the curl command, however not earlier than a collection of anti-analysis and anti-virtual machine evaluations are carried out to find out if it is being run in a virtualized surroundings.

It is also designed to terminate the execution if the construct variety of the Home windows working system is decrease than 17063 (which was launched in December 2017) and if the record of operating processes contains antivirus processes related to Avast, Avira, Bitdefender, Examine Level, ESET, and Kaspersky.

Cybersecurity

What’s extra, it configures Microsoft Defender Antivirus exclusion guidelines in an effort to sidestep detection by including all the essential drive to the exclusion record and stopping it from being scanned.

“The scripts itself are currently not classified as malicious by any an-virus scanners on VirusTotal, demonstrating the evasiveness of the malware and the risk of it causing a serious infection with Raspberry Robin,” HP mentioned.

“The WSF downloader is heavily obfuscated and uses many an-analysis techniques enabling the malware to evade detection and slow down analysis.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.

Recent articles

Patch Alert: Essential Apache Struts Flaw Discovered, Exploitation Makes an attempt Detected

Dec 18, 2024Ravie LakshmananCyber Assault / Vulnerability Risk actors are...

Meta Fined €251 Million for 2018 Knowledge Breach Impacting 29 Million Accounts

Dec 18, 2024Ravie LakshmananKnowledge Breach / Privateness Meta Platforms, the...

LEAVE A REPLY

Please enter your comment!
Please enter your name here