Raspberry Robin Malware Now Using Windows Script Files to Spread – Source: securityboulevard.com

Raspberry Robin, the highly adaptable and evasive worm and malware loader that first appeared on the cyberthreat scene in 2021, is now using a new method for spreading its malicious code.

According to a report this week by threat researchers with HP Wolf Security, a new campaign detected last month indicated that the operators behind Raspberry Robin are using malicious Windows Script Files (WSFs) to deliver their malware, a break from their more prevalent approach of using infected USB drives.

More recently, the malware also has spread via downloads from archive files sent as attachments using the Discord messaging service – disguising itself as a legitimate and signed Windows executable – and 7-Zip archives downloaded through the target’s web browser. In addition, the operators are exploiting one-day security vulnerabilities, leading researchers with cybersecurity vendors like Check Point to suspect they are buying exploits to accelerate their attacks.

“This recent activity represents the latest in a series of shifts in the way Raspberry Robin is distributed,” HP Wolf Security researcher Patrick Schläpfer wrote in the report. “Although best known for spreading through USB drives, threat actors deploying Raspberry Robin have been using different infection vectors such as web downloads to achieve their objectives. The WSF downloader is heavily obfuscated and uses a large range of anti-analysis and anti-VM techniques, enabling the malware to evade detection and slow down analysis.”

These obfuscation and evasion techniques, which the Raspberry Robin operators are known for, are “particularly concerning given that Raspberry Robin has been used as a precursor for human-operated ransomware,” Schläpfer wrote. “Countering this malware early on in its infection chain should be a high priority for security teams.”

Expanding Delivery Methods

The USB devices the bad actors initially used to distribute Raspberry Robin continued malicious LNK files that downloaded the compromised network attached storage devise from QNAP. Along leading the way for ransomware, Raspberry Robin also has been used to deliver malware high-profile malware like SocGholish, IcedID, BumbleBee, and Truebot.

ReliaQuest last year noted that the Raspberry Robin was the third-most active malware loader during the first seven months of 2023, following QakBot – which accounted for 30% of cyber-incidents tracked by the cybersecurity firm – and SocGholish (27%). Raspberry Robin was involved in 23% of the attacks.

Windows Script Files, which Schläpfer wrote are widely used by admins and legitimate software to automate tasks in Windows, but also have been abused by threat groups. For Raspberry Robin, the WSFs are offered for download through malicious domains and subdomains controlled by the attackers.

“It’s not clear how threat actors are luring users to the malicious URLs,” he wrote. “However, this could be via spam or malvertising campaigns.”

Complex Evasion Methods

The script works like a downloader and uses a range of anti-analysis and virtual machine (VM) detection techniques. The DLL payload, retrieved from a remote server, isn’t downloaded and executed until the malicious script – which is highly obfuscated – determines that it is running on a real end-user device rather than a sandbox. As an indication of how good the malware is at evading detection, the scripts are not yet classified by antivirus scanners on VirusTotal, Schläpfer wrote.

The WSF script looks for such virtualization solutions as VMware, Hyper-V, Oracle VM Server, and Xen, as well as security vendors like Kaspersky, Avast, Check Point, and Bitdefender.

There are other ways to evade analysis. The script adds an exception to Microsoft Defender that keeps the entire main drive from antivirus scanning and “the script’s authors placed an inconspicuous variable assignment in the middle of the unused code,” he wrote. “Accidentally removing the variable assignment, which is set to 0, causes the script to terminate. An if statement checks whether the variable is set and if this is the case, the script stops.”

Obfuscation is a Worry

“The obfuscation techniques used by this malware payload system are impressive,” said Jason Soroko, senior vice president of product at cybersecurity firm Sectigo. “To be able to hide code patterns, as well as behavior after execution from endpoint protection, takes some clever thinking. The fact that it is used to spread via USB demonstrates that it was a more targeted tool, used more sparingly by attackers. However, this new development to spread via WSF files shows it is spreading into wider usage.”

John Gallagher, vice president of security company Viakoo Labs, said it isn’t unusual for threat groups to reuse malware. However, the actors behind Raspberry Robin are going from a delivery method – via QNAP removeable media – to more central IT with Windows-based systems. Gallagher suggested that the Internet of Things (IoT)-based delivery was a “warm-up act to the main event.”

He also said that “most troubling is the sophisticated anti-detection methods used by Raspberry Robin, making testing in a sandbox ineffective. Organizations should consider other restrictions on Windows Script Files until a better method of early detection is available.”