Raspberry Robin Evolves: Malware Now Targets WSF Files
Researchers have uncovered a new large-scale attack utilizing the malicious Raspberry Robin software. Since March 2024, cybercriminals have actively been distributing it through modified Windows Script Files (WSF).
As noted by HP Wolf Security researcher, Patrick Schleifer, Raspberry Robin, also known as the QNAP worm, was primarily spread through removable media like USB drives. However, operators have now begun experimenting with alternative methods.
First identified in September 2021, Raspberry Robin has evolved to facilitate the download of various programs such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot. Furthermore, Raspberry Robin can serve as a preliminary stage for the deployment of ransomware.
The new campaign leverages WSF files, which are hosted across a multitude of domains and subdomains. It remains unclear how cybercriminals are directing users to these links, but spam and fraudulent advertising are likely culprits.
A well-obfuscated WSF downloads the malicious payload from a remote server, conducting a series of checks beforehand to avoid detection.
The malware configures Microsoft Defender Antivirus in such a way that the entire primary disk is added to the exceptions list. Moreover, it ceases execution if it detects that the build number of the Windows operating system is below 17063 (released in December 2017), or if applications from Avast, Avira, Bitdefender, Check Point, ESET, and Kaspersky are found in the list of running processes.
“Like the Raspberry Robin DLL, the script uses a variety of anti-analysis and virtual machine (VM) detection techniques. The final payload is only downloaded and executed when all these evaluation steps indicate that the malware is running on a real end user device, rather than in a sandbox. The scripts are highly obfuscated. At the time of analysis, they were not classified as malicious by any anti-virus scanners on VirusTotal, demonstrating the evasiveness of the malware,” the HP expert remarked.
