Raspberry Robin is an automated framework targeting European financial institutions, with upgraded downloader capabilities, in-memory shellcode, and encrypted command-and-control channels. Researchers note expanded victim data collection, modular C2 via a compromised QNAP, and use of Discord to host payloads, signaling a more sophisticated and stealthy operation. β #RaspberryRobin #QNAP #Discord #Tor #EuropeanFinancialInstitutes #SecurityJoes
Keypoints
- Raspberry Robin is targeting the European financial sector, with a focus on Spanish- and Portuguese-speaking organizations.
- Threat researchers dissected multiple incidents showing a more capable downloader and expanded data collection from infected machines.
- The malware chain includes three stages: First Stage β Generic Packer, Second Stage β Intermediate Obfuscation, Third Stage β Shellcode Downloader.
- Infected machines download modules from a C2 and then run them in memory, with traffic often routed through Tor.
- New downloader iterations employ RC4 encryption, five layers of protection, and victim profiling to tailor payloads.
- Diabolical delivery uses Discord-hosted payloads (File_Part.1.zip) and compromised infrastructure like a QNAP device to host C2.
MITRE Techniques
- [T1218.011] Regsvr32 β Signed Binary Proxy Execution β The malware uses regsvr32 to load a DLL (e.g., βProcess : C:WindowsSysWOW64regsvr32.exe Started with CMD : C:WINDOWSsyswow64regsvr32.exe zhddmeb.dllβ).
- [T1059.003] Windows Command Shell β The call sequence shows commands executed via CMD (e.g., βStarted with CMDβ).
- [T1105] Ingress Tool Transfer β The C2 server provides the corresponding payload (a Windows executable) according to the victimβs profile.
- [T1090] Proxy β C2 traffic is routed through Tor, hiding communications to the C2 server.
- [T1027] Obfuscated/Compressed Files and Information β The downloader employs multiple layers of obfuscation and RC4 encryption to conceal payloads.
- [T1082] System Information Discovery β The malware profiles machines with hostname, username, processor name, and display devices to tailor payloads.
- [T1012] Registry Discovery β Verifies prior infection via the registry key SOFTWAREMicrosoftMultimediaActive.
- [T1071.001] Web Protocols β C2 beacons and payload delivery rely on HTTP/S calls (e.g., βhttp://[C2_SERVER_IP]:8080/hexlify(rc4([HEADER]β¦))β).
Indicators of Compromise
- [IP Address] C2 server β 85.56.236.45, 85.56.236.45:8080 (C2 hosting, later traffic through Tor)
- [Domain] C2/redirect domains β eu.adbison-redirect[.]com, and related redirector domains
- [Hash] Malicious MSI installer β 9c9426776b62a4461b7a9237a971fb3c5fc3222acd303506a763aa1d314a1573
- [Hash] ZIP payload β b11805162d3ae3d3c6635c240d004d1fe942a9cde25fb701c92a8e135d37d100
- [Hash] Unpacked binary β ac7d57c011c1bf1b3158a64d4c91e1d5c54e8d05cdeb9d1fadcbb0c4d5103428
- [Hash] JScript encoded dropper β 21122891977d9296eea86a8a292b2ba7677766a2085566a6e93ecf60f0ac6ee5
- [Hash] Additional RC4-encoded component β FAFE11F23567080FB14CFD3B51CB440B9C097804569402D720FD32DD66059830
- [URL] Malicious advertisement payload URL β hxxps://eu.adbison-redirect[.]com/click?payload=[JSON_BASE64]
- [File] File_Part.1.zip β Hosted on Discord CDN as part of the delivery chain
- [Note] Raspberry Robin β The malware family name used in these campaigns