TLDR:
- New Raspberry Robin malware campaign spreading through WSF files since March 2024.
- Morphing malware uses various payloads such as Cobalt Strike and IcedID.
Cybersecurity researchers have identified a new wave of the Raspberry Robin malware campaign that utilizes malicious Windows Script Files (WSFs) as its propagation method. Originally discovered in September 2021, Raspberry Robin, also known as the QNAP worm, has evolved to serve as a downloader for multiple payloads, including SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and even as a precursor for ransomware attacks.
The malware, previously distributed through USB devices containing LNK files, has now shifted to using WSF files for its distribution. These files, offered for download via various domains and subdomains, are heavily obfuscated and utilize anti-analysis techniques to evade detection.
Raspberry Robin’s latest distribution method involves using the WSF file as a downloader to retrieve the main DLL payload from a remote server. The malware conducts anti-virtual machine checks and terminates execution if certain criteria, such as the Windows operating system build number and the presence of specific antivirus processes, are met.
Furthermore, the malware configures Microsoft Defender Antivirus exclusion rules to avoid detection, adding the entire main drive to the exclusion list. Despite these evasive tactics, antivirus scanners on VirusTotal have not yet classified the scripts as malicious, highlighting the risk of serious infection posed by Raspberry Robin.
Attributed to an emerging threat cluster known as Storm-0856 by Microsoft, Raspberry Robin has links to cybercrime groups like Evil Corp, Silence, and TA505. The malware’s ability to morph and adapt its distribution methods underscores the importance of vigilance and up-to-date cybersecurity measures in protecting against evolving threats.