Threat Research

Raspberry Robin and its new anti-emulation trick

Securonix

Raspberry Robin has evolved from a worm into an initial access broker, boasting increasingly sophisticated evasion capabilities. A recent variant introduces anti-emulation techniques tied to Windows Defender Emulator and VDLL-based checks delivered via cracked software that drops multiple payloads including Raspberry Robin itself. Hashtags: #RaspberryRobin #WindowsDefenderEmulator #VDLL #HAL9TH #JohnDoe

Keypoints

  • Raspberry Robin progressed from being a worm to functioning as an initial access broker for other actors, aided by evolving evasion techniques.
  • A new variant implements anti-emulation techniques connected to the Windows Defender Emulator, highlighting advanced anti-analysis capabilities.
  • The concept of Windows Defender Emulator was discussed in Bulazel’s 2018 talk, illustrating how emulators can be bypassed by malware.
  • Historical anti-emulation usage includes Arkei Stealer, Qbot, and others exploiting emulator artifacts like specific computer name/username checks and emulator files.
  • Qbot’s approach evolved to check for emulator artifacts (e.g., C:INTERNAL__empty) rather than solely checking computer/user names.
  • Raspberry Robin’s distribution method involves fake crack/keygen sites delivering self-extracting archives that drop two stealers (Pony and AZORULT) and Raspberry Robin (.cpl named keygen-step-2.cpl), with rapid sample repackaging to evade IOCs.

MITRE Techniques

  • [T1497] Virtualization/Sandbox Evasion – Anti-emulation checks to detect Defender emulator; quoted as: “The anti-emulation technique spotted in Arkei was a string comparaison between: The computer name and “HAL9TH” and the username and “JohnDoe”.”
  • [T1204.002] User Execution: Malicious File – Cracked software distribution leads users to execute a fake crack that drops Raspberry Robin and other payloads; quoted as: “When executed, the program runs multiple anti-emulation/sandbox checks.”

Indicators of Compromise

  • [Hash] Hashes (SHA-256) – keygen-step-2.cpl (Raspberry Robin) 242851abe09cc5075d2ffdb8e5eba2f7dcf22712625ec02744eecb52acd6b1bf, 483adf61d7d932003659d5d6242eace29ea8416ec810749333793e0efa91610d and 6 more hashes
  • [Hostname] – keygenguru[.]com – Raspberry Robin distribution platform
  • [PE Information] – hrtbdd69.dll (DLL name in keygen-step-2.cpl export table), OsTlhtlohe (Exported function in keygen-step-2.cpl)
  • [Files/Directories] – C:myapp.exe, C:Mirc, C:Mircmirc.ini, C:Mircscript.ini (and 2 more items)
  • [Strings] – HAL9TH, JohnDoe (emulator artifact indicators)
  • [VDLL Exports] – MpVmp32Entry, MpReportEventEx (VDLL-based anti-emulation functions)
  • [Files/Executables] – keygen-step-2.cpl (Raspberry Robin drop)

Read more: https://harfanglab.io/en/insidethelab/raspberry-robin-and-its-new-anti-emulation-trick/