Raspberry Robin: From inconspicuous computer worm to complex malware distribution platform
by Tina Siering
The Beginnings: How Raspberry Robin Spread via USB Stick
The Raspberry Robin worm initially relied on the tried and tested infection method using external devices (usually USB sticks and external hard drives) or via network shares. It uses the Microsoft Standard Installer (msiexec.exe) to reach command-and-control (C2) servers, which are likely hosted on compromised QNAP NAS devices. The initial activation of the worm is launched on user click or initiated by the automatic execution of removable media under Windows. The second case is prevented by Windows' default settings, however Microsoft is powerless to stop it if organizations allow automatic execution through group policy changes.
Blog Tip: For a recommendation on how to make a global change to Group Policy Objects (GPO), see the post "QakBot malware: Warning of increasing attacks".
Infection with the computer worm starts with the help of two files located in the same directory: an LNK file, which contains a Windows command, and a .bat file, which consists of fill data and special commands. Subsequently, a malicious DLL library is loaded and executed from a compromised Qnap NAS device. Raspberry Robin launches this DLL with the help of two other legitimate Windows utilities: fodhelper (a trusted binary for managing functions in Windows settings) and odbcconf (a tool for configuring ODBC drivers). Communication to C2 servers is done through the anonymizing Tor network to make malware detection more difficult.
The Evolution: How Raspberry Robin Became Part of a Complex Malware Ecosystem
In late October 2022, Microsoft security researchers determined that Raspberry Robin was part of a networked and interconnected malware ecosystem, with links to other malware families and also alternative infection methods beyond its original USB drive distribution. Microsoft Defender for Endpoint data showed that about 3,000 devices in nearly 1,000 organizations had contact with or received an alert about Raspberry Robin within 30 days.
On some devices infected with Raspberry Robin, FakeUpdates malware was found running DEV-0243 activity. DEV-2043 is also known by another name: EvilCorp. EvilCorp is directly linked to LockBit's deployment as Ransomware-as-a-Service.
However, Raspberry Robin is not limited to a hacker group or reloading a specific malware. So far, malware such as IcedID, Truebot or Bumblebee payloads are known to be deployed. Furthermore, a Cobalt Strike keyboard compromise by hacker group DEV-0950 (also known as FIN11/TA505) occurred. A malicious activity that in some cases also included a Truebot infection and culminated in the spread of the Clop ransomware.
The "malicious transformation" of Raspberry Robin shows: cybercriminals are extremely well connected, with different malware campaigns being executed in a highly professional manner and used for multi-stage attacks.
As a result, the entire economy must contend with a criminal ecosystem that focuses on increasing efficiency and uses tools that are sometimes detected late or not at all, even by "supposedly effective" IT security solutions.
How organizations protect themselves from the threat of Raspberry Robin.
Raspberry Robin shows that access to the Internet is not necessarily required to infect systems or networks with dangerous malware. The computer worm, initially assessed as harmless, in some places even as a harmless attempt by IT students, has evolved within a few months to become part of an extensive malware ecosystem. This has once again made powerful IT security concepts all the more important. So how can organizations protect themselves from the Raspberry Robin threat?
Endpoints such as laptops, smartphones and workstations are particularly popular targets for cybercriminals. Therefore, it is advisable to protect endpoints with an Endpoint Protection Platform (EPP). EPP solutions block known file-based malware at the point of entry and provide preemptive threat protection using built-in security mechanisms as well as signature-based malware defenses.
However, once malware is successfully placed on the network, timely detection is essential to avoid costly secondary damage. Managed detection and response solutions such as Allgeier secion's Active Cyber Defense Service detect malicious C2 communications early and proactively. For this purpose, customers' systems are monitored around the clock for anomalies and conspicuities in network traffic as a fully managed service. If a compromise is suspected and urgent action is required, the commissioning IT teams are informed immediately. Allgeier secion's Active Cyber Defense (ACD) service acts as an early warning system, involving all systems in a network in the monitoring - from desktops and laptops to tablets, smartphones and IoT devices. The service does not require agents to be installed on clients. If criminals have managed to carry out a cyberattack using Raspberry Robin, having the right course of action and efficient processes in place to handle security incidents appropriately is essential. With Incident Response Readiness, organizations get the best preparation for an emergency. With detailed, tailored policies, processes and the provision of the necessary tools, expensive production downtimes or reputational damage can be minimized or prevented altogether.
Raspberry Robin has evolved from an inconspicuous computer worm to a serious malware in less than half a year. This development shows once again: In the face of increasingly complex cyber threats, companies can no longer rely exclusively on preventive and established IT security measures (such as AV solutions and firewalling), but should supplement methods for attack detection to effectively protect their networks, thus reducing the time-critical gap between "detection" and "response". Allgeier secion's Active Cyber Defense (ACD) service offers such a solution and can be booked as a managed service at an attractive flat monthly service fee.
The commissioning companies do not need their own personnel resources for permanent monitoring and incident detection. ACD is a fully managed service that proactively and continuously analyzes networks for anomalies and thus identifies attackers' communications to their command & control servers (C&Cs). Allgeier secion's security analysts monitor the IT infrastructure around the clock for conspicuous activity and provide immediate information when action is required. ACD is implemented completely as an on-premise solution, with which networks can be actively, proactively and permanently secured. All systems within a network are always monitored - from desktop computers to cell phones and tablets to IoT devices.