Attack on telecom and government systems by Raspberry Robin Worm

Attack on telecom and government systems by Raspberry Robin Worm
Attack on telecom and government systems by Raspberry Robin Worm

It has been used in attacks against Latin American, Australian, and European telecommunications companies and government systems since September 2022.

Researchers at Trend Micro said Tuesday that the primary payload is obfuscated with more than ten layers, enabling it to deliver a fake payload when it detects sandboxing and security analytics tools.

Argentinean infections dominate, followed by Australian, Mexican, Croatia, Italian, Brazilian, French, Indian, and Colombian infections.

Multiple threat actors increasingly use Raspberry Robin as an initial access mechanism to deliver ransomware, such as LockBit and Clop, which are associated with an activity cluster tracked by Microsoft as DEV-0856.

Malware is known to install its primary payload via rogue MSI installer files downloaded through infected USB drives. The main payload facilitates post-exploitation through the use of malicious tools.

According to further analysis of Raspberry Robin, the malware used heavy obfuscation to avoid detection, with two payloads embedded in a six-pack payload loader.

The payload loader loads the decoy payload, BrowserAssistant, an adware program to throw off detection.

READ MORE: All you need to know about Android 14

A custom TOR client embedded within the payload awaits further commands without sandboxing and analysis when the legitimate payload is installed and connected to the hard-coded .onion address.

As previously mentioned, the threat actor makes considerable efforts to remain undetected by masquerading as legitimate Windows processes like dllhost.exe, regsvr32.exe, and rundll32.exe.

Further, the malware runs its actual routines in Session 0, a Windows session reserved for non-interactive applications and services.

There may be a connection between Raspberry Robin and LockBit ransomware based on similarities between privilege escalation and anti-debugging techniques.

LockBit may have used specific tools developed by Raspberry Robin as well, the company asserted, or it may have used the affiliate responsible for LockBit’s techniques.

Due to the lack of data supplied by the TOR domain, the intrusion is a reconnaissance operation. This indicates that the group behind the malware is “testing the waters” to determine the extent of its reach.


Please enter your comment!
Please enter your name here