Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
Since May 2022, eSentire’s Threat Response Unit (TRU) has observed 11 cases of Raspberry Robin infections. Although the initial access vector is an infected USB drive, however it’s unclear how the USB drives were initially infected. Raspberry Robin hosts its payloads on compromised QNAP servers with the malicious files being stored on USB drives as shortcuts.
This malware analysis delves deeper into the technical details of how the Raspberry Robin malware operates and our security recommendations to protect your organization from being exploited.
Deutsche Telekom CERT has indicated that they conducted interviews with infected users who used the USB drives in a printing store prior to the USBs infection. It is believed that someone infected the printers at these stores. This serves as a good reminder that USBs should be avoided in corporate environments, and if used outside your network, they should be ‘scrubbed’ prior to inserting the drive back into a corporate endpoint.
Raspberry Robin hosts its payloads on compromised QNAP servers from which they derived a second name “QNAPWorm”. The malicious files are stored on the USB drives as shortcuts (.LNK) files with the command such as "C:\WINDOWS\system32\cmd.exe" /c type CObq.LOG or C:\WINDOWS\system32\CMD.EXE" /v /rTyPe biLj.]dAt|cMD with additional secondary files containing extensions such as .chk, .rs, .usb, .exi, .qz, .bin, .dat, .ini, .ico, .log
The file with extensions would have the contents like the one shown in Figure 1.
After being injected onto the computer, the worm spawns cmd.exe to run the malicious files with the extensions mentioned above.
We have observed the following command (the second parameter contains the name of the LNK file stored on the USB drive):
After that, two processes are spawned:
Raspberry Robin spawns msiexec.exe to download and run a malicious DLL (Dynamic Link Library) file.
The malicious msiexec.exe executions that we have observed so far:
As you can see, the patterns are very similar. The infected machine reaches out to the infected QNAP server over port 8080 and sends along the username and computer name of the affected user with the <computer_name>?<username> or <computer_name>=<username> patterns.
Raspberry Robin leverages rundll32.exe followed by shell32.dll and calls the ShellExec_RunDLL or ShellExec_RunDLLA functions to execute the DLL via the processes such as odbcconf.exe, msiexec.exe and control.exe.
In August 2022, TRU has observed Raspberry Robin delivering SocGholish downloader. It is worth nothing that on May 2022, Microsoft released a blog post mentioning Raspberry Robin dropping SocGholish and the ties to the infamous cybercrime group Evil Corp which first appeared in 2009 and is operated internationally and led by a Russian cybercriminal Maksim V. Yakubets.
The incident tree generated by Microsoft Defender ATP is shown in Figure 3.
The DLL retrieved from the compromised QNAP server (6da9212d45c2a06bb2dd76dacff2d7bf) is dropped onto C:\ProgramData\
The command used to run the JS file is:
SocGholish would proceed with discovery and enumeration commands and output them to a rad<random_five_characters>.tmp file under C:\Users\<username>\AppData\Local\Temp\rad<random_five_character>.tmp.
The commands ran:
The gathered information would be sent to SocGholish C2 server and, in the worst-case scenario, the ransomware is executed at the last stage. Previously known ransomware used in SocGholish infections are DoppelPaymer, LockBit 3.0, WastedLocker. All mentioned ransomwares are used by Evil Corp.
The dropped DLL (6da9212d45c2a06bb2dd76dacff2d7bf) is a 32-bit executable written in C++ (1.59 MB file size). The compilation timestamp is August 26, 2022, which is the date of when the infection happened. The GUID within the debugging artifacts is 90FD1E65-DCC7-4851-ACCB-1F7089954836. By analyzing the entropy with PortEx (Figure 5) we can assume that the payload is packed.
The payload contains two DLL binaries encrypted within. The first DLL is decrypted via the XOR and series of decryption using divisions and modulus of 256.
Before applying another layer of decryption which resembles RC4 (Figure 7), the payload would call VirtualAlloc to allocate the memory for the second DLL payload (Figure 8).
With the second call to VirtualAlloc, we can see that the second DLL payload has been successfully decrypted at 0x005F0000 address.
The second DLL is approximately 9 KB in size (a672d61d2e0a2047411ecbc3aa0fc059). The secondary payload contains some interesting string decryption algorithms.
The payload takes the first 20 bytes of the ciphertext (byte_) and then substitutes with byte_403070 which is 4c7d8fd183daca4438a2ca1d2202ff48d93038 in hex bytes.
The decrypted API calls:
Immediately, we observed the LdrLoadDll API call and the relative jump opcode 0xE9. The payload attempts to hook NTDLL.dll!LdrLoadDll by overwriting it with the relative jump opcode (Figure 11).
Within the same function we are seeing the mention of snxhk.dll, which belongs to Avast “Hook Library” (Figure 12). The same technique was described in the Dridex analysis by Vitali Kremez – the snxhk.dll library is used to monitor the LdrLoadDll API calls. Security researchers at IBM also found the similarities between Dridex and Raspberry Robin loaders.
Finally, the second payload is responsible for decrypting the third and final payload with VirtualProtect and VirtualAlloc functions.
The final payload is 4 KB in size (db73f38ca969609d08a016da0deb8276). The final payload is responsible for communicating with the C2 server and sending the host information (Figure 13).
Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against Raspberry Robin and SocGholish malware:
While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by threat actor(s) requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
|Second DLL payload||a672d61d2e0a2047411ecbc3aa0fc059|
|Third DLL payload||db73f38ca969609d08a016da0deb8276|
|SocGholish JS file||7115951e5ca39e17236a4a359812c4e4ec958939|
|Initial packed Raspberry Robin DLL (ff_wmv9.dll)||6da9212d45c2a06bb2dd76dacff2d7bf|
|MITRE ATT&CK Tactic||ID||MITRE ATT&CK Technique||Description|
|Initial Access||T1091||Replication Through Removable Media||Raspberry Robin infects the end user via USB drives|
|Execution||T1204.002||User Execution: Malicious File||The initial payload appears as a shortcut file (.lnk)|
|Defense Evasion||T1218.011||System Binary Proxy Execution: Rundll32||Raspberry Robin leverages rundll32.exe
followed by shell32.dll and calling the ShellExec_RunDLL or ShellExec_RunDLLA functions to execute the malicious DLL
MITRE ATT&CK Tactic
MITRE ATT&CK Technique
Replication Through Removable Media
Raspberry Robin infects the end user via USB drives
MITRE ATT&CK Tactic
MITRE ATT&CK Technique
User Execution: Malicious File
The initial payload appears as a shortcut file (.lnk)
MITRE ATT&CK Tactic
MITRE ATT&CK Technique
System Binary Proxy Execution: Rundll32
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.