Raspberry Robin, a tough-to-detect worm carrying malware and ransomware, is now being delivered via Windows Shortcut Files and Windows Script Files. Researchers at Hewlett Packard (HP) first began to identify the new trend in March of this year.
Previously, Raspberry Robin was delivered physically by inserting a weaponized USB stick into a targeted device. But now, this highly effective malware is being delivered via Windows Script Files (WSF), which are widely used by administrators and legitimate software to automate tasks within Windows. The WSF file format supports scripting languages, such as JScript and VBScript, that are interpreted by the Windows Script Host component built into the Windows operating system. It can, however, also be abused by attackers. The Windows Script Files are offered for download via various malicious domains and subdomains controlled by the attackers, which can be distributed via spam or fake online advertising campaigns.
Sophisticated foe used to deliver malware
Raspberry Robin is known for its heavy obfuscation and anti-analysis techniques to bypass detection, fool sandboxes, and slow down even the most seasoned security teams so that they fail to detect the breach in time. Following the primary infection, the malware communicates remotely with its command and control servers over the Tor internet browser in order to execute additional payloads, acting as a foothold for threat actors to deliver other malicious files. According to HP, Raspberry Robin is now used to deliver malware such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and Truebot.
A precursor for full-blown ransomware attacks
According to HP, it is now also being deployed by attackers as a precursor for full-blown ransomware attacks, encrypting the target organization’s most sensitive data and refusing to release it, sometimes selling it off piecemeal to the highest bidders, until a hefty ransom is paid in untraceable cryptocurrency.
“This recent activity represents the latest in a series of shifts in the way Raspberry Robin is distributed. Although best known for spreading through USB drives, threat actors deploying Raspberry Robin have been using different infection vectors such as web downloads to achieve their objectives…Countering this malware early on in its infection chain should be a high priority for security teams,” warns HP.
