Researchers have discovered a new wave of the Raspberry Robin malware campaign, which is now spreading via malicious Windows Script Files (WSFs).
“Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors,” explained HP Wolf Security researcher Patrick Schläpfer in a report.
Raspberry Robin, also referred to as the QNAP worm, was first spotted in September 2021. Since then, it has evolved into a downloader for various other payloads, including SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and has also served as a precursor for ransomware.
Diversifying Infection Vectors
While the malware was initially distributed through USB devices containing LNK files that retrieved the payload from a compromised QNAP device, it has since adopted other methods such as social engineering and malvertising.
Raspberry Robin is attributed to an emerging threat cluster tracked by Microsoft as Storm-0856, which has links to the broader cybercrime ecosystem comprising groups like Evil Corp, Silence, and TA505.
Weaponizing Windows Script Files
The latest distribution vector involves the use of WSF files that are offered for download via various domains and subdomains. It’s not clear how the attackers are directing victims to these URLs, though it’s suspected that it could be through spam or malvertising campaigns.
The heavily obfuscated WSF file functions as a downloader to retrieve the main DLL payload from a remote server, but not before a series of anti-analysis and anti-virtual machine evaluations are carried out to determine if it’s being run in a virtualized environment.
Targeting System Configurations
The malware is also designed to terminate the execution if the build number of the Windows operating system is lower than 17063 (released in December 2017) and if the list of running processes includes antivirus processes associated with Avast, Avira, Bitdefender, Check Point, ESET, and Kaspersky.
Additionally, the malware configures Microsoft Defender Antivirus exclusion rules to sidestep detection by adding the entire main drive to the exclusion list and preventing it from being scanned.
“The scripts itself are currently not classified as malicious by any antivirus scanners on VirusTotal, demonstrating the evasiveness of the malware and the risk of it causing a serious infection with Raspberry Robin,” HP said. “The WSF downloader is heavily obfuscated and uses many anti-analysis techniques enabling the malware to evade detection and slow down analysis.”
