Grinning hacker

The Raspberry Robin malware is now trying its hand at some trickery by dropping a fake payload to confuse researchers and evade detection when it detects it’s being run within sandboxes and debugging tools.

This new tactic was discovered by Trend Micro researchers who observed Raspberry Robin in recent attacks against telecommunication service providers and government systems.

Raspberry Robin is a worm-like malware dropper that sells initial access to compromised networks to ransomware gangs and malware operators. It has been previously associated with FIN11 and the Clop gang, as well as Bumblebee, IcedID, and TrueBot payload distribution.

The malware reaches targeted systems via malicious USB drives that infect the device with malware when inserted and included .LNK file is double-clicked.

When the shortcut is executed, it abuses the legitimate ‘MSIExec.exe’ Windows executable to download a malicious MSI installer that installs the Raspberry Robin payloads

Typical Raspberry Robin infection chain
Typical Raspberry Robin infection chain (Trend Micro)

Double trouble

The malware is heavily obfuscated to hide its code from antivirus programs and security researchers, featuring multiple layers containing hard-coded values for decrypting the next one.

However, to make it even harder for security researchers to analyze the malware, Raspberry Robin has begun to drop two different payloads depending on how it is being run on a device.

If the malware detects it is running inside a sandbox, indicating it is likely being analyzed, the loader drops a fake payload. Otherwise, it will launch the actual Raspberry Robin malware.

Packing layers diagram
Packing layers diagram (Trend Micro)

This fake payload features two additional layers, a shellcode with an embedded PE file and a PE file with the MZ header and PE signature removed.

Upon execution, it attempts to read the Windows registry to find infection markers and then proceeds to gather basic system information.

Next, the fake payload attempts to download and execute an adware named ‘BrowserAssistant,’ to trick the analyst into believing this was the final payload.

On valid systems, though, the actual Raspberry Robin malware payload is loaded, which features an embedded custom Tor client for internal communication.

Even with the payload trickery, the actual payload is packed with ten layers of obfuscation, making it substantially harder to analyze.

Upon launch, it checks if the user is admin, and if it’s not, it uses the ‘ucmDccwCOMMethod in UACMe‘ privilege escalation technique to gain administrative privileges.

The malware also modifies the registry for persistence between reboots, using two different methods for each case (admin or not).

Registry modifications
Registry modifications (Trend Micro)

“After dropping a copy of itself, it executes the dropped copy as Administrator using a UAC (User Account Control) bypass technique,” Trend Micro explains about the privilege escalation process.

“It implements a variation of the technique ucmDccwCOMMethod in UACMe, thereby abusing the built-in Windows AutoElevate backdoor.”

Once ready, the malware attempts to connect to the hard-coded Tor addresses and establishes an information exchange channel with its operators.

The Tor client process uses names that mimic standard Windows system files like ‘dllhost.exe,’ ‘regsvr32.exe,’ and ‘rundll32.exe.’

Notably, the main routine runs in Session 0, a specialized Windows session reserved exclusively for services and applications that don’t need or shouldn’t have any user interaction.

As part of its infection process, Raspberry Robin will also copy itself to any attached USB drives to infect further systems.

LockBit ransomware shares similarities

Trend Micro’s analysts comment that the recent additions in Raspberry Robin’s TTPs (tactics, techniques, and procedures) bear similarities to LockBit, so the two projects might have a connection.

The two main similarities are using the ICM calibration technique for privilege escalation and the ‘TreadHideFromDebugger’ tool for anti-debugging.

Although these findings are notable, they don’t constitute proof of a connection between the two, yet they may serve as yardsticks in future research.

In conclusion, Trend Micro says the current Raspberry Robin campaign is more of a reconnaissance effort to evaluate the effectiveness of the new mechanisms rather than the initial step in actual attacks.

Source: www.bleepingcomputer.com