Campaigns
Raspberry Robin Global USB Malware Campaign

Raspberry Robin Global USB Malware Campaign

USB MalwareRaspberryQnap Worm
The Raspberry Robin malware campaign has been spreading around the world since it first surfaced in late 2021. "Raspberry Robin" is the name of a set of events from Red Canary that we first observed in September 2021, which often includes a worm installed via a USB drive.

Indicators of Compromise

config.target
n.config.delay.show
e.element.style
loader.show
r.show
constructor.data
utils.tostring.call
data.processing.id
i.to
t.prototype.hasownproperty.call
yiwei.fun
this.merchantdialog.name
figure.modal.button.save
o.tostring.call
e.event.target
e.fn.tab
i.show
ce.element.style
error.prototype.tostring.call
slice.call
b.page.info
visostar.es
u003darray.prototype.slice.call
object.prototype.hasownproperty.call
www.okletseat.com
windowcsupdates.com
processing.id
prototype.slice.call
placement.call
e.name.search
anydeskupdates.com
o.data
isheet.admin.manage.permission.ui.this.group
u.tostring.call
this.loader.show
t.target
n.slice.call
otype.slice.call
array.prototype.slice.call
www.we35.in
this3.constructor.event.click
l.one
this.manager.element.style
n.target
766cu.com
processing.name
this.config.placement.call
this.show
cleopatracasino.net
this.config.title.call
bject.prototype.hasownproperty.call
i.slice.call
i18n.authframe.safr.button.save
winserverupdates.com
windowservicecenter.com
windowservicecemter.com
t.config.delay.show
url.prototype.tostring.call
hostnameobject.prototype.tostring.call
view.group
e.options.delay.show
otype.hasownproperty.call
prototype.hasownproperty.call
arrayproto.slice.call
www.visostar.es
this.constructor.name
context.config.delay.show
rray.prototype.slice.call
music.yiwei.fun
n.call
r.element.style
event.click
ototype.hasownproperty.call
type.hasownproperty.call
t.id
www.outcomeorientedinvesting.com
authframe.safr.button.save
celldate.data
this.options.placement.call
c.config.delay.show
c.title.call
upd488.windowservicecemter.com
updateservicecenter.com
date.prototype.tostring.call
safr.button.save
golfdistillery.com
t.event.target
config.title.call
this.group
n.next
www.horizon3.ai
this.element.style
www.ummtu.com
n.event.target
this.constructor.event.show
this.event.target
show.bs.tab
t.title.call
hide.bs.tab
function.tostring.call
merchantdialog.name
function.prototype.tostring.call
this.email
prototype.tostring.call
b.tostring.call
g.prototype.slice.call
ject.prototype.tostring.call
m.slice.call
n.to
b.title.call
c.data
hidden.bs.tab
hostnameobject.prototype.hasownproperty.call
okletseat.com
object.prototype.tostring.call
sentrolindustrial.com
e.loader.show
ummtu.com
n.data
dynssl.com
windowservicecentar.com
shown.bs.tab
this.next
object.hasownproperty.call
c.options.delay.show
hasownproperty.call
task.siteadmin.status.button.save
t.constructor.event.click
outcomeorientedinvesting.com
b.slice.call
systemadmin.systemsettings.display.configure.modal.button.save
this.page.info
param.id
app.pages.page
bs.tab
button.save
e.constructor.event.click
u.hasownproperty.call
ect.prototype.hasownproperty.call
regexp.prototype.tostring.call
app.messages.show
activetrigger.click
netviewremote.com
event.target
e.tostring.call
t.data
cpcontacts.visostar.es
m.object.hasownproperty.call
e.prototype.tostring.call
b.constructor.event.click
title.call
i.data
dt.page.info
page.info
qweastradoc.com
symbol.prototype.tostring.call
notificationdata.email
n.show
www.cleopatracasino.net
cpcalendars.visostar.es
element.style
e.hasownproperty.call
name.search
yun.yiwei.fun
w.slice.call
ww16.this.group
r.title.call
arukas.appex.bing.dynssl.com
ga.prototype.slice.call
a.tostring.call
data.processing.name
cell.data
o.show
jqueryinterface.call
ww16.isheet.admin.manage.permission.ui.this.group
this.text.element.style
f.title.call
i.loader.show
o.title.call
tostring.call
i.constructor.event.click
t.element.style
self.options.delay.show
www.golfdistillery.com
col.data
a.element.style
a.prototype.tostring.call
38ffa.com
i.options.delay.show
delay.show
we35.in
e.title.call
anydeskupdate.com
sc.yiwei.fun
g.r.prototype.tostring.call
this.constructor.data
google.view.group
index.view.group
e.config.delay.show
amydeecke.website
download-cdn.com
santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion
update.softhouse.store
www.ciphertechsolutions.com
kdr.zarkada.ru
oxford-employee.com
bronerg.tk
hofa.tk
vefogy.cf
duke6.tk
ba.beautycam.xyz
gbcf.odskguo.xyz
w32.8639fd3ef8-95.sbx.tg
codewizard.ml
bedrost.com
www.baltdefcol.org
mskmde.com
9356.popmonster.ru
www.atomicmatryoshka.com
mail.alfuttaim.ae
webmail.bix.bh
echange-afrique-insa.fr
track.odskguo.xyz
fundraising.mystylingmylife.xyz
manager.surro.am
ylink.cc
ac.iprocam.xyz
api.dropboxdapi.com
afci-newsoft.fr
mail.primus.com.jo
lindaztert.net
vision2030.tk
mail.sts.com.jo
cartridgefast.com.pe
fb.gifcam.xyz
lakify.ml
mail.mfa.uz.webmails.info
www.berlinguas.com
newshealthsport.com
elizabi.tk
gloogletag.com
vd.toobox.online
mail.soc.mil.ae
sanitar.ml
suckmycocklameavindustry.in
misters.ml
wkoinfo.webredirect.org
t2.twmills.xyz
m12.slimedit.live
markham-travel.com
www.sts.com.jo
actors.jcracing.com
email.omnix-group.com
www.ajfd.gov.ae
www.alraidah.com.sa
fl.gifcam.xyz
dubaiexpo2020.cf
www.dns.jo
memorial.4tosocialprofessional.com
www.balletmaniacs.com
oxford.in
microsoft.updatemeltdownkb7234.com
baltdefcol.webredirect.org
cache-pdf.com
ae.mveditor.xyz
mail.rinc.in
mail.mindware.ae
davilta.tk
vt.toobox.online
sameera.gq
xre.popmonster.ru
fwx1.petranews.gov.jo
ably.com
moneybac.ru
vylys.com
microtech.az
m11.slimedit.live
gis.moei.gov.ae
f8a.beautycam.xyz
updatenodes.site
jobs.registermegod.online
b8c.mveditor.xyz
eclipso.ch
www.marubi.gov.al
b.hdmodecam.live
d3.mveditor.xyz
m.murasalaty.moenr.gov.ae
topchefrecipe.com
share.cisp.org.uk
a.hdmodecam.live
hair.2topost.com
ba3.photoeffect.xyz
ad.iprocam.xyz
telegram.akipress.news
oxford-careers.com
jadlactnato.webredirect.org
6b4s.popmonster.ru
branter.tk
azure.ms-tech.us
airmail.cc
wekanda.tk
onlinecloud.cloud
deme.ml
loveavent.com
mail.teknovateplas.com
sumefu.gq
b7.photoeffect.xyz
ve0.popmonster.ru
sempersim.su
mail.alraidah.com.sa
m13.slimedit.live
mail.oceanskylogistics.in
jobbfinderrr.xyz
crane.mn
t1.twmills.xyz
mail.orange-jtg.jo
sherence.ru
staging.forus.jo
ve.toobox.online
webmail.qchem.com
vision2030.cf
webmail.presflt.ae
crusider.tk
www.mpwh.gov.jo
webmail.ictfund.gov.ae
ictinfo.moict.gov.jo
6v4q5w7di74grj2vtmikzgx2tnq5eagyg2cubpcnqrvvee2ijpmprzqd.onion
mail.mygov.ae
arinas.tk
gis.moenr.gov.ae
pewyth.ga
ap.iprocam.xyz
areteir.com
azecofarm.az
webmail.eminsco.com
kamikirim.my.id
hunvin.tk
f6.beautycam.xyz
dixito.ml
api.odskguo.xyz
ksa.olayan.net
t3.twmills.xyz
l.hdmodecam.live
umefu.gq
b.popmonster.ru
ksbyz.jelikob.ru
celestyna.tk
www.downmags.org
fa.gifcam.xyz
installcb.online
www.m5home.com
f0.photoeffect.xyz
whynooneistherefornoneofthem.com
6qo.at
nt3.xyz
ejk.bz
6j2.xyz
tddshht.com
p3.ms
n9fz.com
5qy.ro
oj8.eu
4k1.xyz
jjl.one
4aw.ro
aviadronazhed.com
h0.pm
6t.re
u0.pm
8t.wf
mzjc.is
j8.si
2yd.eu
jrx.tw
1i.pm
zk4.me
aij.hk
skqv.eu
w4.nz
ue2.eu
5jk.club
k5m.co
i6n.xyz
n3.wf
k1n.club
j5m.biz
nzm.one
0e.si
mn1.biz
lwip.re
lgf.pw
n5k.me
1j.pm
bpyo.in
eu.adbison-redirect.com
13j.me
w4.wf
i49.xyz
m0.wf
glnj.nl
g4.tel
r4e.pl
zbs.is
5kx.me
gloa.in
zk.qa
ejk.li
1n4.xyz
ri7.biz
k6j.pw
j4z.xyz
vn6.co
mwgq.net
c4z.pl
5v0.nl
4s3.me
9r.sk
1h3.me
5s.pm
nz4.xyz
4kx.xyz
27o.nl
r6.nz
k5j.one
d4j.club
uz3.me
jrx.fr
n5.ms
ads.softupdt.com
cb3u.com
k6c.org
as3.biz
k0.pm
9r.re
1u.wf
q2.rs
m5n.biz
b8x.org
0w.pm
omzk.org
ej3.xyz
p9.tel
0i.pm
7yfb.com
zxn.fyi
vqdn.net
d0.wf
4c.pm
w6.nz
dj2.biz
4q.pm
1k4.xyz
getmyfile.eu
uoej.net
j4z.co
hiperfdhaus.com
fnx.wf
tiua.uk
iz.gy
ynns.uk
euya.cn
u0.rs
2i.nu
qji6.com
zk5.co
nefosferta.com
j5n.xyz
5jb.me
q0.pm
t0.wf
i0.wf
s8.cx
mirw.wf
pjz.one
h0.wf
0x9.biz
fz.ms
l9b.org
svchost.com
kjaj.top
g4.wf
4j5.xyz
6t.nz
1u.pm
xz4.biz
zjc.bz
j3n.xyz
r0.wf
4m.wf
60i.nl
4xq.nl
r0.pm
n51.biz
getmyfile.click
yuiw.xyz
kglo.link
2um.xyz
66j.me
jrtz.re
uqw.futbol
5qe8.com
3h1.xyz
0t.yt
krrz.pm
8t.pm
w0.pm
2j4.xyz
egso.net
4w.rs
nk0.club
6w.re
eznb.net
6id.xyz
trzx.eu
u8wp.com
o7car.com
c0.wf
g0.pm
mz3.biz
cnsbi.mh
0v.wf
www.securityondemand.com
rn9v.com
5z.wf
5j8.xyz
5kj.xyz
qmpo.art
6xj.xyz
6wr9.com
c7.lc
5qw.pw
kr4.xyz
l6nk.com
m0.yt
y0.wf
e9.wf
b9.pm
4s.pm
21k.website
jzm.pw
6y.re
getmyfile.link
wak.rocks
vs.gy
l5k.xyz
j4r.xyz
n54.me
jirostrogud.com
gbpooolfhbrb.com
s0.pm
03s30.com
y3x.biz
xjam.hk
g3.rs
j2.gy
k6j.me
kj1.xyz
gz3.nl
b3vv.com
4j.pm
2i.pm
3h.wf
guteyutur.com
dsi.mk
4w.wf
4j1.xyz
k5x.xyz
i0up.com
tz6.org
doem.re
j68.info
0dz.me
1j4.xyz
nwz.li
3e.pm
v0.cx
w4.rs
j1n.me
zie5.com
fxb.tw
t7.nz
lwxa.eu
z7s.org
mnem.wf
7d.rs
f0.tel
rx3.xyz
msix.pm
i4x.xyz

APT Groups4

TA505Russian Federation
Gold EvergreenChimborazoATK 103Gold TahoeGraceful SpiderSpandex TempestSectorJ04TA505Hive0065TEMP.Warlock
Turla GroupChina
TurlaUNC4210Secret BlizzardVenomous BearITG12SIG23Group 13APT 26BelugasturgeonTAG-0530WaterbugPacifier APTBlack VineBlue PythonPopeyeBronze ExpressSIG15CTG-8875WebMastersIron HunterKryptonATK 13MakersmarkKungFu KittensSIG2JerseyMikesTurbine PandaShell CrewPinkPantherGroup 88SUMMITPensive UrsaWraith
Evil Corp
GOLD DRAKEGOLDDRAKE
Silence group

<b>Description of MISP:</b> a relatively new threat actor that’s been operating since mid-2016 Group-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group's activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts' hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD. Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.<br><br><b>Description of Mitre:</b> Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing. [1][2]<br><br><b>Description of Etda:</b> (Group-IB) Group-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group’s activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts’ hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD. Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services. Group-IB found several relationships between Silence and {{TA505, Graceful Spider, Gold Evergreen}}.<br><br>

ATK 86Whisper SpiderContract CrewSilenceTEMP.TruthTellerTAG-CR8

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediation
Here are a few steps you can follow if you are or suspect that you are infected with
this malware:
• Download Autoruns. This is a program that will show all auto-start applications, Registry, and file system locations. You can download the program from this link: https://docs.microsoft.com/enus/sysinternals/downloads/autoruns 
• Restart your computer in safe mode. You can learn how to do this at the following link: https://www.bitdefender.com/consumer/support/answer/2129/
• Extract the downloaded archive and run the Autoruns.exe file.
• In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.
• Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.
• You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage,it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its
name and choose "Delete".
• After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.
• Reboot your computer in normal mood. 

Reports & References1

Observed Countries250

AD (968)
AE (874)
AF (215)
AG (989)
AI (466)
AL (203)
AM (651)
AO (489)
AQ (813)
AR (114)
AS (940)
AT (287)
AU (918)
AW (366)
AX (480)
AZ (663)
BA (268)
BB (995)
BD (508)
BE (194)
BF (345)
BG (162)
BH (162)
BI (652)
BJ (289)
BL (209)
BM (693)
BN (252)
BO (3)
BQ (937)
BR (224)
BS (296)
BT (464)
BV (419)
BW (948)
BY (805)
BZ (193)
CA (573)
CC (664)
CD (758)
CF (477)
CG (723)
CH (39)
CI (325)
CK (960)
CL (496)
CM (457)
CN (996)
CO (872)
CR (97)
CU (338)
CV (473)
CW (530)
CX (526)
CY (557)
CZ (831)
DE (134)
DJ (813)
DK (794)
DM (215)
DO (160)
DZ (967)
EC (848)
EE (259)
EG (792)
EH (100)
ER (664)
ES (271)
ET (345)
FI (612)
FJ (437)
FK (150)
FM (909)
FO (597)
FR (522)
GA (884)
GB (3)
GD (76)
GE (679)
GF (956)
GG (278)
GH (910)
GI (770)
GL (445)
GM (329)
GN (740)
GP (308)
GQ (225)
GR (980)
GS (274)
GT (1)
GU (916)
GW (779)
GY (49)
HK (637)
HM (812)
HN (399)
HR (422)
HT (815)
HU (889)
ID (659)
IE (380)
IL (848)
IM (631)
IN (994)
IO (405)
IQ (475)
IR (955)
IS (83)
IT (810)
JE (386)
JM (816)
JO (428)
JP (710)
KE (882)
KG (693)
KH (830)
KI (709)
KM (117)
KN (567)
KP (639)
KR (130)
KW (335)
KY (653)
KZ (803)
LA (780)
LB (644)
LC (887)
LI (508)
LK (679)
LR (449)
LS (556)
LT (209)
LU (947)
LV (440)
LY (800)
MA (20)
MC (440)
MD (931)
ME (71)
MF (594)
MG (582)
MH (172)
MK (578)
ML (816)
MM (368)
MN (594)
MO (517)
MP (257)
MQ (584)
MR (789)
MS (510)
MT (568)
MU (971)
MV (107)
MW (816)
MX (320)
MY (365)
MZ (777)
NA (20)
NC (567)
NE (389)
NF (730)
NG (98)
NI (424)
NL (507)
NO (208)
NP (584)
NR (551)
NU (122)
NZ (909)
OM (872)
PA (524)
PE (585)
PF (157)
PG (15)
PH (333)
PK (676)
PL (364)
PM (645)
PN (651)
PR (357)
PS (123)
PT (814)
PW (246)
PY (912)
QA (518)
RE (101)
RO (612)
RS (564)
RU (528)
RW (286)
SA (946)
SB (583)
SC (503)
SD (113)
SE (817)
SG (422)
SH (254)
SI (538)
SJ (791)
SK (671)
SL (402)
SM (534)
SN (24)
SO (325)
SR (233)
SS (955)
ST (963)
SV (80)
SX (968)
SY (336)
SZ (578)
TC (941)
TD (23)
TF (614)
TG (906)
TH (555)
TJ (964)
TK (800)
TL (830)
TM (637)
TN (931)
TO (264)
TR (837)
TT (962)
TV (725)
TW (591)
TZ (44)
UA (815)
UG (538)
UM (360)
US (24)
UY (862)
UZ (410)
VA (89)
VC (39)
VE (18)
VG (138)
VI (421)
VN (767)
VU (543)
WF (521)
WS (411)
XK (387)
YE (618)
YT (416)
ZA (409)
ZM (921)
ZW (180)