What We Do
How We Do
Resources
Company
Partners
Get Started
Blog

eSentire Threat Intelligence Malware Analysis: Raspberry Robin

BY eSentire Threat Response Unit (TRU)

January 19, 2023 | 9 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Since May 2022, eSentire’s Threat Response Unit (TRU) has observed 11 cases of Raspberry Robin infections. Although the initial access vector is an infected USB drive, however it’s unclear how the USB drives were initially infected. Raspberry Robin hosts its payloads on compromised QNAP servers with the malicious files being stored on USB drives as shortcuts.

This malware analysis delves deeper into the technical details of how the Raspberry Robin malware operates and our security recommendations to protect your organization from being exploited.

Key Takeaways

  • Raspberry Robin delivers SocGholish as a second stage which can suggest a pre-ransomware indicator.
  • The worm spreads via infected USB drives and connects to compromised QNAP servers to fetch the DLL payload. The communication occurs via port 8080.
  • The second unpacked DLL payload is used to hook and monitor LdrLoadDll API calls via Avast DLL component.
  • The final unpacked DLL payload is responsible for C2 communications and sending over the host information such as the username and computer name.
  • eSentire’s Threat Response Unit (TRU) assesses with high confidence that Raspberry Robin will be leveraged in the future to deliver other types of malware (not limited to downloaders and stealers).

Case Study

Deutsche Telekom CERT has indicated that they conducted interviews with infected users who used the USB drives in a printing store prior to the USBs infection. It is believed that someone infected the printers at these stores. This serves as a good reminder that USBs should be avoided in corporate environments, and if used outside your network, they should be ‘scrubbed’ prior to inserting the drive back into a corporate endpoint.

Raspberry Robin hosts its payloads on compromised QNAP servers from which they derived a second name “QNAPWorm”. The malicious files are stored on the USB drives as shortcuts (.LNK) files with the command such as "C:\WINDOWS\system32\cmd.exe" /c type CObq.LOG or C:\WINDOWS\system32\CMD.EXE" /v /rTyPe biLj.]dAt|cMD with additional secondary files containing extensions such as .chk, .rs, .usb, .exi, .qz, .bin, .dat, .ini, .ico, .log

The file with extensions would have the contents like the one shown in Figure 1.

Figure 1: Example of malicious content of the secondary files

After being injected onto the computer, the worm spawns cmd.exe to run the malicious files with the extensions mentioned above.

We have observed the following command (the second parameter contains the name of the LNK file stored on the USB drive):

After that, two processes are spawned:

Raspberry Robin spawns msiexec.exe to download and run a malicious DLL (Dynamic Link Library) file.

The malicious msiexec.exe executions that we have observed so far:

Figure 2: Malicious msiexec.exe executions

As you can see, the patterns are very similar. The infected machine reaches out to the infected QNAP server over port 8080 and sends along the username and computer name of the affected user with the <computer_name>?<username> or <computer_name>=<username> patterns.

Raspberry Robin leverages rundll32.exe followed by shell32.dll and calls the ShellExec_RunDLL or ShellExec_RunDLLA functions to execute the DLL via the processes such as odbcconf.exe, msiexec.exe and control.exe.

Raspberry Robin Infection and Analysis

In August 2022, TRU has observed Raspberry Robin delivering SocGholish downloader. It is worth nothing that on May 2022, Microsoft released a blog post mentioning Raspberry Robin dropping SocGholish and the ties to the infamous cybercrime group Evil Corp which first appeared in 2009 and is operated internationally and led by a Russian cybercriminal Maksim V. Yakubets.

The incident tree generated by Microsoft Defender ATP is shown in Figure 3.

Figure 3: Infection chain generated by MDATP (1)

The DLL retrieved from the compromised QNAP server (6da9212d45c2a06bb2dd76dacff2d7bf) is dropped onto C:\ProgramData\\taquz.xsd folder.

Approximately 7 seconds later, the SocGholish JavaScript Is dropped onto C:\Users\AppData\Local\Temp\<random_name>.js folder (Figure 4). The SocGholish JS script is spawned using the technique mentioned before for running the DLLs.

The command used to run the JS file is:

SocGholish would proceed with discovery and enumeration commands and output them to a rad<random_five_characters>.tmp file under C:\Users\<username>\AppData\Local\Temp\rad<random_five_character>.tmp.

The commands ran:

Figure 4: Infection chain generated by MDATP (2)

The gathered information would be sent to SocGholish C2 server and, in the worst-case scenario, the ransomware is executed at the last stage. Previously known ransomware used in SocGholish infections are DoppelPaymer, LockBit 3.0, WastedLocker. All mentioned ransomwares are used by Evil Corp.

The dropped DLL (6da9212d45c2a06bb2dd76dacff2d7bf) is a 32-bit executable written in C++ (1.59 MB file size). The compilation timestamp is August 26, 2022, which is the date of when the infection happened. The GUID within the debugging artifacts is 90FD1E65-DCC7-4851-ACCB-1F7089954836. By analyzing the entropy with PortEx (Figure 5) we can assume that the payload is packed.

Figure 5: PortEx output

The payload contains two DLL binaries encrypted within. The first DLL is decrypted via the XOR and series of decryption using divisions and modulus of 256.

Figure 6: snippet of XOR decryption loop

Before applying another layer of decryption which resembles RC4 (Figure 7), the payload would call VirtualAlloc to allocate the memory for the second DLL payload (Figure 8).

Figure 7: Another layer of decryption
Figure 8: Snippet of the partially decrypted second payload after the call to VirtualAlloc
Figure 9: The partially decrypted second DLL payload after the second layer of decryption

With the second call to VirtualAlloc, we can see that the second DLL payload has been successfully decrypted at 0x005F0000 address.

The second DLL is approximately 9 KB in size (a672d61d2e0a2047411ecbc3aa0fc059). The secondary payload contains some interesting string decryption algorithms.

Figure 10: String decryption routine

The payload takes the first 20 bytes of the ciphertext (byte_) and then substitutes with byte_403070 which is 4c7d8fd183daca4438a2ca1d2202ff48d93038 in hex bytes.

The decrypted API calls:

Immediately, we observed the LdrLoadDll API call and the relative jump opcode 0xE9. The payload attempts to hook NTDLL.dll!LdrLoadDll by overwriting it with the relative jump opcode (Figure 11).

Within the same function we are seeing the mention of snxhk.dll, which belongs to Avast “Hook Library” (Figure 12). The same technique was described in the Dridex analysis by Vitali Kremez – the snxhk.dll library is used to monitor the LdrLoadDll API calls. Security researchers at IBM also found the similarities between Dridex and Raspberry Robin loaders.

Figure 11: NTDLL.dll!LdrLoadDll hooking
Figure 12: Mention of snxhk.dll

Finally, the second payload is responsible for decrypting the third and final payload with VirtualProtect and VirtualAlloc functions.

The final payload is 4 KB in size (db73f38ca969609d08a016da0deb8276). The final payload is responsible for communicating with the C2 server and sending the host information (Figure 13).

Figure 13: Capabilities of the final payload

How eSentire is Responding

Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:

Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against Raspberry Robin and SocGholish malware:

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by threat actor(s) requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

Indicators of Compromise

Name Indicators
C2 hxxp://k6j[.]pw
C2 hxxp://zk4[.]me
C2 hxxp://0x9[.]biz
C2 hxxp://0t[.]yt
C2 hxxp://5qw[.]pw
C2 hxxp://l9b[.]org
C2 47.24.139[.]111
Second DLL payload a672d61d2e0a2047411ecbc3aa0fc059
Third DLL payload db73f38ca969609d08a016da0deb8276
SocGholish JS file 7115951e5ca39e17236a4a359812c4e4ec958939
Initial packed Raspberry Robin DLL (ff_wmv9.dll) 6da9212d45c2a06bb2dd76dacff2d7bf

MITRE ATT&CK

MITRE ATT&CK Tactic ID MITRE ATT&CK Technique Description
Initial Access T1091 Replication Through Removable Media Raspberry Robin infects the end user via USB drives
Execution T1204.002 User Execution: Malicious File The initial payload appears as a shortcut file (.lnk)
Defense Evasion T1218.011 System Binary Proxy Execution: Rundll32 Raspberry Robin leverages rundll32.exe
followed by shell32.dll and calling the ShellExec_RunDLL or ShellExec_RunDLLA functions to execute the malicious DLL

MITRE ATT&CK Tactic

ID

MITRE ATT&CK Technique

Description

Initial Access

T1091

Replication Through Removable Media

Raspberry Robin infects the end user via USB drives

MITRE ATT&CK Tactic

ID

MITRE ATT&CK Technique

Description

Execution

T1204.002

User Execution: Malicious File

The initial payload appears as a shortcut file (.lnk)

MITRE ATT&CK Tactic

ID

MITRE ATT&CK Technique

Description

Defense Evasion

T1218.011

System Binary Proxy Execution: Rundll32

Raspberry Robin leverages rundll32.exe
followed by shell32.dll and calling the ShellExec_RunDLL or ShellExec_RunDLLA functions to execute the malicious DLL

eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire