Summary:
Raspberry Robin, a sophisticated downloader discovered in 2021, primarily spreads through infected USB devices. It employs advanced binary obfuscation, anti-analysis techniques, and privilege escalation exploits, making it a notable threat in the malware landscape. This analysis delves into its execution layers, obfuscation methods, and network communication strategies, highlighting its capabilities to evade detection and propagate across networks.
Keypoints:
- Raspberry Robin spreads mainly through infected USB devices.
- It utilizes unique binary obfuscation techniques and anti-analysis methods.
- When in an analysis environment, it deploys a decoy payload.
- Raspberry Robin communicates with its command-and-control (C2) servers over the TOR network.
- It can propagate itself through networks and employs privilege escalation exploits.
- The malware is capable of executing multiple layers of obfuscation and anti-analysis techniques.
- Raspberry Robin uses legitimate tools like PsExec and PAExec for network propagation.
- It modifies registry keys for persistence and employs various UAC bypass methods.
MITRE Techniques
- Command and Control (T1071): Utilizes the TOR network for communication with C2 servers.
- Execution (T1203): Executes payloads using legitimate tools like PsExec and PAExec.
- Persistence (T1547): Modifies registry keys for persistence on compromised hosts.
- Privilege Escalation (T1068): Uses local privilege escalation exploits and UAC bypass methods.
- Defense Evasion (T1027): Employs obfuscation techniques to evade detection.
- Discovery (T1083): Enumerates network drives and user directories for propagation.
- Credential Access (T1003): Attempts to access sensitive information during execution.
IoC:
- [domain] 2pxsdtxngssu3vqqujdfgu4bsmlkp3d2ytctawznlhhez6tq57wzpzqd.onion
- [domain] 3bh22ezbxub3dopbqja7jjymdussvwgl3eu4xzlsdyagtnhzxy3tr3id.onion
- [domain] 3zs4zdszo3lesutdbuenzvlspuh6wljj6eyntv73dxxig3bk2wcskrad.onion
- [domain] 4jtsmu3u4yrbehjf4rzfwsswhpc7ohs4nrfnlfu3xebteeaf4uv3okyd.onion
- [domain] 4rnzfvzybry65auecpi3n67c6ynuunvs77qpk45svyhhsj6oisibk3qd.onion
- [domain] 5bqxmurmtkqlzis65uu22aspcuhivb6vpzpcpma5wfl5ngz2ha6oxzqd.onion
- [domain] 64iahnunyhf6ph6qvakjp22a3j6wlvl4sdmbh6elwri6up5gpnm7xkyd.onion
- [domain] 6agzykvu3rjnwpdnky777ffxb5dj4fiemftho4tsoeakp2xa542pj7id.onion
- [domain] 6kykjg6h7sjqru5puc57mb2nhd2bwhtewdswnsg4rlr3rw6t4iqrpgyd.onion
- [domain] 6praos6qyi3b5kcurfqe4kyh5ihu4k3z6mjbggkixnfyhbpomy5szoad.onion
- [domain] 6s75xlg3auzdnccos4re4hrmcxyg6fivxsqm3cldv2gowl2engljtqyd.onion
Full Research: https://www.zscaler.com/blogs/security-research/unraveling-raspberry-robin-s-layers-analyzing-obfuscation-techniques-and