Cybersecurity researchers have found a new version of the infamous Raspberry Robin malware, and it’s apparently very good at evading antivirus programs and other endpoint protection solutions.
Researchers from HP Wolf Security published a new report claiming to have observed a new Raspberry Robin campaign in March 2024, The hacker news reports.
In this campaign, the attackers host a malicious, heavily obfuscated WSF (Windows Script Files) file on various domains and subdomains. They then trick victims into navigating to these URLs through unknown means (most likely social engineering, phishing, or malvertising).
Hide behind antivirus
When the WSF file is executed, it retrieves the main DLL, a payload that can be anything from SocGholish, Cobalt Strike, IcedID, BumbleBee and TrueBot malware to ransomware, the publication said.
What makes this version of Raspberry Robin stand out, however, is the way it works around antivirus programs. Before downloading the main payload, it performs a series of anti-analytic and anti-virtual machine scans to determine the type of environment in which it will be activated.
Additionally, it will not run on Windows older than December 2017, or if the list of running processes includes Avast, Avira, Bitdefender, Check Point, ESET, or Kaspersky. Finally, it can configure Microsoft Defender Antivirus exclusion rules to ensure it is not picked up by the scanner.
“The scripts themselves are not currently classified as malicious by any virus scanner on VirusTotal, demonstrating the malware’s evasibility and its risk of causing a serious infection with Raspberry Robin,” HP said. “The WSF downloader is heavily obfuscated and uses many analysis techniques that allow the malware to evade detection and slow down the analysis.”
Raspberry Robin was first discovered in September 2021 and is also known as the QNAP worm. Initially, it was distributed via malicious USB devices containing a .LNK file pointing to the payload hosted on an affected QNAP device.