Cybersecurity researchers have discovered a new wave of Raspberry Robin campaigns propagating malware through malicious Windows Script Files (WSF) since March 2024.
“Historically, Raspberry Robin was known to spread through removable media such as USB drives, but over time its distributors have experimented with other initial infection vectors,” said Patrick Schläpfer, a researcher at HP Wolf Security, in a report shared with The Hacker News .
Raspberry Robin, also called QNAP worm, was first spotted in September 2021 and has since evolved into a downloader for various other payloads in recent years, such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and also acts as a precursor for ransomware.
Although the malware was initially distributed via USB devices containing LNK files that retrieved the payload from a compromised QNAP device, it has since adopted other methods such as social engineering and malvertising.
It is attributed to an emerging threat cluster monitored by Microsoft as Storm-0856, which has links to the broader cybercrime ecosystem that includes groups such as Evil Corp, Silence and TA505.
The latest distribution vector involves the use of WSF files offered for download via various domains and subdomains.
It is currently unclear how attackers direct victims to these URLs, although it is suspected that this could be done via spam campaigns or malvertising.
The heavily obfuscated WSF file works as a downloader to fetch the main DLL payload from a remote server using the curl command, but not before a series of anti-scanning and anti-virtual evaluations of the machine are performed to determine whether it is running in a virtualized environment.
It is also designed to terminate execution if the Windows OS build number is lower than 17063 (released December 2017) and if the list of running processes includes antivirus processes associated with Avast, Avira, Bitdefender, Check Point, ESET and Kaspersky.
Additionally, it configures Microsoft Defender Antivirus exclusion rules in an attempt to evade detection by adding the entire primary drive to the exclusion list and preventing it from being scanned.
“The scripts themselves are not currently classified as malicious by any an-virus scanner on VirusTotal, demonstrating the evasiveness of the malware and the risk of it causing a serious infection with Raspberry Robin,” HP said.
“The WSF downloader is heavily obfuscated and uses many analysis techniques that allow the malware to evade detection and slow down analysis.”