Threat Research

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Securonix

Raspberry Robin is a global USB-based malware campaign that acts as a loader, delivering ransomware operators and other loaders to target networks. It propagates via infected USB drives, uses legitimate Windows binaries to execute payloads, and relies on compromised NAS devices for its C2 infrastructure. #RaspberryRobin #QNAP

Keypoints

  • Raspberry Robin has operated globally since late 2021 and is linked to major ransomware precursor families such as SocGholish, IcedID, Bumblebee, and Truebot.
  • The campaign spreads via USB and creates Raspberry Robin LNK files on external drives to trigger execution when a USB is plugged in.
  • Printers at print/copy stores have been implicated as sources of infected USBs, suggesting a pronounced supply or distribution vector.
  • The malware uses legitimate binaries (rundll32.exe, regsvr32.exe, msiexec) to start payloads and C2 communications, i.e., signed binary proxy execution techniques.
  • The C2 network relies on compromised NAS devices (notably QNAP and Acrobox) with DNS hijacking and short-domain fronts for command traffic (often via port 8080).
  • Detection opportunities have been published (e.g., Splunk SPL rules) to spot the infection chain, including LNK-related activity and msiexec-based C2 traffic.
  • A large set of IOCs (SHA256s, file names, and embedded domains) exists, indicating a global, multi-stage operation with hundreds of C2 domains.

MITRE Techniques

  • [T1023] Shortcut Modification – Raspberry Robin creates LNK files on external USB drives to facilitate auto-execution when a USB is plugged in. ‘creating the Raspberry Robin LNK files on external USB drives.’
  • [T1091] Replication Through Removable Media – The USB-based spread demonstrates propagation via removable media.
  • [T1218.003] Rundll32 – The campaign uses rundll32.exe to launch payloads as a proxy execution method. ‘launching binaries via either rundll32.exe’
  • [T1218.002] Regsvr32 – The campaign uses regsvr32.exe to launch payloads as a proxy execution method. ‘launching binaries via either rundll32.exe or regsvr32.exe’
  • [T1218.005] Msiexec – Msiexec is used to begin C2 communications by the LNK chain. ‘msiexec to begin C2 communications’
  • [T1218.004] Odbcconf – The campaign is noted for using odbcconf.exe as part of its execution chain. ‘using odbcconf.exe’
  • [T1218.009] Fodhelper – The campaign uses fodhelper.exe as part of its execution chain. ‘fodhelper.exe’
  • [T1071.001] Web Protocols – C2 communications occur over web protocols, notably via port 8080. ‘connect via port 8080 (HTTP proxy)’

Indicators of Compromise

  • [SHA256] USB malware samples – 8cc69700d007da11ee29a37d9accd87be1e9b16c49e8d8015b4cc237de803e24, de62ea5d304259d153101e488449afb51f536a2c65082f929d298939de129355, and 2 more hashes
  • [FileName] LNK payloads – wycz.lnk, pcv.kqn, and other LNK files observed on USBs
  • [Embedded Domain] C2 domains – w0.pm, 4xq.nl, and other short-domain C2 fronts (plus many more in the table)

Read more: https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint