Raspberry Robin Malware Caught Employing A Clever Tactic To Dupe Security Researchers

Cybersecurity analysts classify Raspberry Robin as a computer worm because it spread across systems in a self-replicating manner. This particular worm spreads by copying itself from an infected machine to any attached USB drives, then further infecting any machines that connect to those USB drives in the future. While spreading via USB drives can mean that Raspberry Robin doesn’t proliferate as quickly as worms that spread over the internet or local area network (LAN), this method of transmission makes Raspberry Robin dangerous in other ways. The worm can lie dormant on USB drives for extended periods, then re-infect computers that were cleaned of the malware. USB drive transmission also enables Raspberry Robin to cross air gaps and infect systems with no network access, including offline archives storing valuable information. Such an infection could be disastrous if the worm deploys data-destroying malware such as ransomware.
Researchers have observed Raspberry Robin deploying a variety of different malicious payloads, often as part of multi-stage infection chains that can end in the deployment of ransomware. According to Microsoft, this worm has evolved into one of the largest malware distribution platforms, and threat actors may even be paying the developers of Raspberry Robin to deploy particular payloads on infected machines. Thus, Raspberry Robin has come to play the role of a malware dropper, infecting computers for the purpose of installing additional malware.

However, the malicious code is hidden behind over ten obfuscated layers. At runtime, each layer of the malware works to unpack and decrypt the next layer in sequence. When this process reaches the payload loader, the loader attempts to detect sandboxing and security analytics tools. If such tools are detected, the loader unpacks and loads a fake payload intended to mislead security researchers. This fake payload collects and exfiltrates system information before downloading and installing adware. Security researchers observing this behavior may be tricked into believing that they’ve determined the full extent of the malware’s activity.
However, when the payload loader determines that no sandboxing or security analytics tools are active, it unpacks and loads the real payload, which is significantly more malicious. It abuses user admin permissions to elevate its privileges, evade detection, and establish persistence on the infected system by editing the Windows registry. Further embedded within the real payload is a Tor client, which the malware uses to communicate with command-and-control (C2) servers controlled by the threat actors behind Raspberry Robin. Having established a backdoor to the infected system, the threat actors can then send additional malicious payloads for the malware to install and run.
This new variant of Raspberry Robin goes to show the lengths to which threat actors will go to develop malware that can hide from security researchers and anti-virus software. In order to avoid becoming the next victim of this worm and others like it, individual users and organizations alike should always remain vigilant and be cautious of opening unfamiliar files, even when they may appear harmless upon inspection.