A lot of tricks have been added to the malware's portfolio since 2021.
Researchers have discovered a new large-scale attack using the Raspberry Robin malware. Since March 2024, attackers have been actively distributing it using modified Windows Script Files(WSF).
As noted by HP Wolf Security researcher Patrick Schlepfer, formerly Raspberry Robin, also known as the QNAP worm, spread mainly through removable media like USB. Now, however, operators are experimenting with other methods.
Raspberry Robin, first discovered in September 2021, has been used over time to download a variety of programs, such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot. Moreover, Raspberry Robin can be used as a preliminary stage for deploying ransomware.
The new campaign uses WSF files that are hosted on many different domains and subdomains. It is not yet clear how attackers lure users to these links, but spam and fraudulent advertising probably help here.
A well-obfuscated WSF downloads malicious content from a remote server. Before that, it performs a series of checks to avoid detection.
The malware configures Microsoft Defender Antivirus so that the entire primary disk is added to the exclusion list. In addition, it stops execution if it detects that the build number of the Windows operating system is lower than 17063 (released in December 2017), as well as if Avast, Avira, Bitdefender, Check Point, ESET, and Kaspersky applications are present in the list of running processes.
"The scripts themselves are currently not classified as malicious by any of the scanners on VirusTotal, which demonstrates the quirkiness of the malware and the high risk of infecting Raspberry Robin," the HP expert noted.
Researchers have discovered a new large-scale attack using the Raspberry Robin malware. Since March 2024, attackers have been actively distributing it using modified Windows Script Files(WSF).
As noted by HP Wolf Security researcher Patrick Schlepfer, formerly Raspberry Robin, also known as the QNAP worm, spread mainly through removable media like USB. Now, however, operators are experimenting with other methods.
Raspberry Robin, first discovered in September 2021, has been used over time to download a variety of programs, such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot. Moreover, Raspberry Robin can be used as a preliminary stage for deploying ransomware.
The new campaign uses WSF files that are hosted on many different domains and subdomains. It is not yet clear how attackers lure users to these links, but spam and fraudulent advertising probably help here.
A well-obfuscated WSF downloads malicious content from a remote server. Before that, it performs a series of checks to avoid detection.
The malware configures Microsoft Defender Antivirus so that the entire primary disk is added to the exclusion list. In addition, it stops execution if it detects that the build number of the Windows operating system is lower than 17063 (released in December 2017), as well as if Avast, Avira, Bitdefender, Check Point, ESET, and Kaspersky applications are present in the list of running processes.
"The scripts themselves are currently not classified as malicious by any of the scanners on VirusTotal, which demonstrates the quirkiness of the malware and the high risk of infecting Raspberry Robin," the HP expert noted.
