Threat Research

Decoding Raspberry Robin: Analyzing Obfuscation Techniques and Core Mechanisms

ZScaler

Raspberry Robin is a sophisticated USB-spread downloader that uses advanced binary obfuscation, anti-analysis methods, and multi-layer execution to evade detection and propagate across networks. The malware communicates with C2 servers over the TOR network and leverages legitimate tools and privilege escalation to move laterally and maintain persistence. #RaspberryRobin #Zscaler

Keypoints

  • Raspberry Robin primarily spreads via infected USB devices.
  • It employs advanced binary obfuscation and anti-analysis techniques to evade detection.
  • The malware can deploy a decoy payload when it detects an analysis environment.
  • Raspberry Robin communicates with its command-and-control servers over the TOR network (.onion domains).
  • It propagates across networks using legitimate tools such as PsExec and PAExec.
  • The threat modifies registry keys for persistence and uses UAC bypass methods and local privilege escalation exploits.
  • It enumerates network drives and user directories to discover targets for propagation.

MITRE Techniques

  • [T1071] Command and Control – Uses the TOR network to communicate with C2 servers (‘Utilizes the TOR network for communication with C2 servers.’)
  • [T1203] Execution – Executes payloads and tasks using legitimate tools like PsExec and PAExec to run code on remote systems (‘Executes payloads using legitimate tools like PsExec and PAExec.’)
  • [T1547] Persistence – Modifies registry keys to maintain persistence on compromised hosts (‘Modifies registry keys for persistence on compromised hosts.’)
  • [T1068] Privilege Escalation – Leverages local privilege escalation exploits and UAC bypass techniques to gain higher privileges (‘Uses local privilege escalation exploits and UAC bypass methods.’)
  • [T1027] Defense Evasion – Employs multiple layers of obfuscation and anti-analysis methods to evade detection (‘Employs obfuscation techniques to evade detection.’)
  • [T1083] Discovery – Enumerates network drives and user directories to find targets for propagation (‘Enumerates network drives and user directories for propagation.’)
  • [T1003] Credential Access – Attempts to access sensitive information during execution to facilitate lateral movement and persistence (‘Attempts to access sensitive information during execution.’)

Indicators of Compromise

  • [domain] TOR C2 domains – 2pxsdtxngssu3vqqujdfgu4bsmlkp3d2ytctawznlhhez6tq57wzpzqd.onion, 3bh22ezbxub3dopbqja7jjymdussvwgl3eu4xzlsdyagtnhzxy3tr3id.onion, and 10 other .onion domains

Read more: https://www.zscaler.com/blogs/security-research/unraveling-raspberry-robin-s-layers-analyzing-obfuscation-techniques-and

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint