Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
Since May 2022, eSentire’s Threat Response Unit (TRU) has observed 11 cases of Raspberry Robin infections. Although the initial access vector is an infected USB drive, however it’s unclear how the USB drives were initially infected. Raspberry Robin hosts its payloads on compromised QNAP servers with the malicious files being stored on USB drives as shortcuts.
This malware analysis delves deeper into the technical details of how the Raspberry Robin malware operates and our security recommendations to protect your organization from being exploited.
Deutsche Telekom CERT has indicated that they conducted interviews with infected users who used the USB drives in a printing store prior to the USBs infection. It is believed that someone infected the printers at these stores. This serves as a good reminder that USBs should be avoided in corporate environments, and if used outside your network, they should be ‘scrubbed’ prior to inserting the drive back into a corporate endpoint.
Raspberry Robin hosts its payloads on compromised QNAP servers from which they derived a second name “QNAPWorm”. The malicious files are stored on the USB drives as shortcuts (.LNK) files with the command such as "C:\WINDOWS\system32\cmd.exe" /c type CObq.LOG or C:\WINDOWS\system32\CMD.EXE" /v /rTyPe biLj.]dAt|cMD with additional secondary files containing extensions such as .chk, .rs, .usb, .exi, .qz, .bin, .dat, .ini, .ico, .log
The file with extensions would have the contents like the one shown in Figure 1.
After being injected onto the computer, the worm spawns cmd.exe to run the malicious files with the extensions mentioned above.
We have observed the following command (the second parameter contains the name of the LNK file stored on the USB drive):
After that, two processes are spawned:
Raspberry Robin spawns msiexec.exe to download and run a malicious DLL (Dynamic Link Library) file.
The malicious msiexec.exe executions that we have observed so far:
As you can see, the patterns are very similar. The infected machine reaches out to the infected QNAP server over port 8080 and sends along the username and computer name of the affected user with the <computer_name>?<username> or <computer_name>=<username> patterns.
Raspberry Robin leverages rundll32.exe followed by shell32.dll and calls the ShellExec_RunDLL or ShellExec_RunDLLA functions to execute the DLL via the processes such as odbcconf.exe, msiexec.exe and control.exe.
In August 2022, TRU has observed Raspberry Robin delivering SocGholish downloader. It is worth nothing that on May 2022, Microsoft released a blog post mentioning Raspberry Robin dropping SocGholish and the ties to the infamous cybercrime group Evil Corp which first appeared in 2009 and is operated internationally and led by a Russian cybercriminal Maksim V. Yakubets.
The incident tree generated by Microsoft Defender ATP is shown in Figure 3.
The DLL retrieved from the compromised QNAP server (6da9212d45c2a06bb2dd76dacff2d7bf) is dropped onto C:\ProgramData\
Approximately 7 seconds later, the SocGholish JavaScript Is dropped onto C:\Users\AppData\Local\Temp\<random_name>.js folder (Figure 4). The SocGholish JS script is spawned using the technique mentioned before for running the DLLs.
The command used to run the JS file is:
SocGholish would proceed with discovery and enumeration commands and output them to a rad<random_five_characters>.tmp file under C:\Users\<username>\AppData\Local\Temp\rad<random_five_character>.tmp.
The commands ran:
The gathered information would be sent to SocGholish C2 server and, in the worst-case scenario, the ransomware is executed at the last stage. Previously known ransomware used in SocGholish infections are DoppelPaymer, LockBit 3.0, WastedLocker. All mentioned ransomwares are used by Evil Corp.
The dropped DLL (6da9212d45c2a06bb2dd76dacff2d7bf) is a 32-bit executable written in C++ (1.59 MB file size). The compilation timestamp is August 26, 2022, which is the date of when the infection happened. The GUID within the debugging artifacts is 90FD1E65-DCC7-4851-ACCB-1F7089954836. By analyzing the entropy with PortEx (Figure 5) we can assume that the payload is packed.
The payload contains two DLL binaries encrypted within. The first DLL is decrypted via the XOR and series of decryption using divisions and modulus of 256.
Before applying another layer of decryption which resembles RC4 (Figure 7), the payload would call VirtualAlloc to allocate the memory for the second DLL payload (Figure 8).
With the second call to VirtualAlloc, we can see that the second DLL payload has been successfully decrypted at 0x005F0000 address.
The second DLL is approximately 9 KB in size (a672d61d2e0a2047411ecbc3aa0fc059). The secondary payload contains some interesting string decryption algorithms.
The payload takes the first 20 bytes of the ciphertext (byte_) and then substitutes with byte_403070 which is 4c7d8fd183daca4438a2ca1d2202ff48d93038 in hex bytes.
The decrypted API calls:
Immediately, we observed the LdrLoadDll API call and the relative jump opcode 0xE9. The payload attempts to hook NTDLL.dll!LdrLoadDll by overwriting it with the relative jump opcode (Figure 11).
Within the same function we are seeing the mention of snxhk.dll, which belongs to Avast “Hook Library” (Figure 12). The same technique was described in the Dridex analysis by Vitali Kremez – the snxhk.dll library is used to monitor the LdrLoadDll API calls. Security researchers at IBM also found the similarities between Dridex and Raspberry Robin loaders.
Finally, the second payload is responsible for decrypting the third and final payload with VirtualProtect and VirtualAlloc functions.
The final payload is 4 KB in size (db73f38ca969609d08a016da0deb8276). The final payload is responsible for communicating with the C2 server and sending the host information (Figure 13).
Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against Raspberry Robin and SocGholish malware:
While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by threat actor(s) requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Name | Indicators |
C2 | hxxp://k6j[.]pw |
C2 | hxxp://zk4[.]me |
C2 | hxxp://0x9[.]biz |
C2 | hxxp://0t[.]yt |
C2 | hxxp://5qw[.]pw |
C2 | hxxp://l9b[.]org |
C2 | 47.24.139[.]111 |
Second DLL payload | a672d61d2e0a2047411ecbc3aa0fc059 |
Third DLL payload | db73f38ca969609d08a016da0deb8276 |
SocGholish JS file | 7115951e5ca39e17236a4a359812c4e4ec958939 |
Initial packed Raspberry Robin DLL (ff_wmv9.dll) | 6da9212d45c2a06bb2dd76dacff2d7bf |
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.