silversurfer
Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Forum Veteran
- Aug 17, 2014
- 13,221
- 126,350
- 8,399
The Raspberry Robin malware is now trying its hand at some trickery by dropping a fake payload to confuse researchers and evade detection when it detects it's being run within sandboxes and debugging tools.
This new tactic was discovered by Trend Micro researchers who observed Raspberry Robin in recent attacks against telecommunication service providers and government systems.
Raspberry Robin is a worm-like malware dropper that sells initial access to compromised networks to ransomware gangs and malware operators. It has been previously associated with FIN11 and the Clop gang, as well as Bumblebee, IcedID, and TrueBot payload distribution.
The malware reaches targeted systems via malicious USB drives that infect the device with malware when inserted and included .LNK file is double-clicked.
When the shortcut is executed, it abuses the legitimate 'MSIExec.exe' Windows executable to download a malicious MSI installer that installs the Raspberry Robin payloads
.png "Typical Raspberry Robin infection chain")
Typical Raspberry Robin infection chain (Trend Micro)
Raspberry Robin worm drops fake malware to confuse researchers
The Raspberry Robin malware is now trying its hand at some trickery by dropping a fake payload to confuse researchers and evade detection when it detects it's being run within sandboxes and debugging tools.
Raspberry Robin Malware Targets Telecom, Governments
We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security...
