eSentire’s TRU analyzes Raspberry Robin’s multi-stage infection chain, starting with infected USB drives and fetching DLL payloads from compromised QNAP servers before delivering SocGholish and triggering C2 communications. Analysts foresee potential future use of Raspberry Robin to deliver other malware beyond downloader/stealer capabilities. #RaspberryRobin #QNAPWorm #SocGholish #EvilCorp #MaksimVYakubets
Keypoints
- Raspberry Robin delivers SocGholish as a second stage, suggesting a possible pre-ransomware indicator.
- The worm spreads via infected USB drives and connects to compromised QNAP servers to fetch the DLL payload, communicating on port 8080.
- The second unpacked DLL payload hooks LdrLoadDll API calls using Avast’s snxhk.dll to monitor DLL loading.
- The final unpacked DLL payload handles C2 communications and transmits host details such as username and computer name.
- TRU assesses with high confidence that Raspberry Robin will be used in the future to deliver other malware types beyond downloaders and stealers.
- Case evidence from Deutsche Telekom CERT links USB infections to printers in stores, underscoring USB risk and the need to scrub drives before corporate use.
MITRE Techniques
- [T1091] Initial Access – Replication Through Removable Media – “Raspberry Robin infects the end user via USB drives” – The malware gains initial access via infected USB devices.
- [T1204.002] Execution – User Execution: Malicious File – “The initial payload appears as a shortcut file (.lnk)” – The drop occurs through LNK shortcut execution.
- [T1218.011] Defense Evasion – System Binary Proxy Execution: Rundll32 – “Raspberry Robin leverages rundll32.exe followed by shell32.dll and calling the ShellExec_RunDLL or ShellExec_RunDLLA functions to execute the malicious DLL” – Abuse of Rundll32 for code execution.
Indicators of Compromise
- [Domain] C2 – k6j[.]pw, zk4[.]me, and 4 more domains (if applicable) – C2 domains referenced in the appendix.
- [IP] C2 – 47.24.139[.]111 – A listed C2 IP address.
- [File hash] Second DLL payload – a672d61d2e0a2047411ecbc3aa0fc059, 6da9212d45c2a06bb2dd76dacff2d7bf, and 2 more hashes – DLL payloads used in the infection chain.
- [File hash] Third DLL payload – db73f38ca969609d08a016da0deb8276 – Final payload involved in C2 communication.
- [File hash] SocGholish JS file – 7115951e5ca39e17236a4a359812c4e4ec958939 – SocGholish component used in the loader chain.
- [File name] Initial packed Raspberry Robin DLL – 6da9212d45c2a06bb2dd76dacff2d7bf – Initial DLL observed in the infection flow.
- [File name] taquz.xsd – Path fragment showing where a DLL is dropped on the host (C:ProgramDatataquz.xsd) – illustrative file referenced in the drop process.
Read more: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-raspberry-robin