Raspberry Robin: A global USB malware campaign providing access to ransomware operators
In fact, the list of blogs I do recommend to read to catch up on this threat are as follows:
What's so special about RaspberryRobin?
"What should I care? It's just another USB malware right?" Wrong... it leads to ransomware.
This USB malware is not like your usual VBS self-copying low grade stuff, it is more like the BadUSB campaigns from a few years ago that was reportedly linked to FIN7 and led to BlackMatter or REvil ransomare. Microsoft's report on Raspberry Robin was the first to reveal that RaspberryRobin is also leading to multiple other top-tier malware loaders such as SocGholish, IcedID, Bumblebee, and Truebot, which are all well-known ransomware precursor families.
Raspberry Robin has shown itself to be an emerging player in the big game hunting ransomware ecosystem. USB malware has proven to be an old, yet still effective method to establish an initial foothold inside target environments.
But how does it spread?
Details about how the Raspberry Robin malware actually gets on to the USBs are a little hazy, but the malware has virally spread. In October 2022, Microsoft reported "that nearly 3,000 devices in almost 1,000 organizations" saw "at least one Raspberry Robin payload-related alert in the last 30 days."
In September 2022, Deutsche Telekom CERT tweeted about how they observed the malware in Hungary, Germany, Russia, and India. All these Raspberry Robin cases involved a user clicking on a malicious shortcut (LNK) file when the USB was plugged in. Most interestingly, Deutsche Telekom CERT found that all the affected users reported to "have used the USB stick for printing in print/copy stores". This was a fairly strong indication that something has happened to these printers at the print/copy stores that ended up with them potentially being one of the main sources of USB infecting malware, at different countries around the world.
We got some further clarification from Microsoft, when they identified a previously undisclosed .NET spreader DLL that was responsible for creating the Raspberry Robin LNK files on external USB drives. This .NET spreader DLL was also distributed by another related and previously undisclosed malware family dubbed Fauppod.
Microsoft, however, did not mention the usage of printers or print/copy stores to aid distribution of the USB malware. Others in the CTI community though, particularly those in CuratedIntel, did share with me that they also observed printers being the source of infected USBs as well, which is in line with Deutsche Telekom CERT's findings. Some researchers speculate that the Raspberry Robin operators may have targeted vulnerable printers exposed on the Internet (as there's not shortage of those) or perhaps there was some unreported supply chain attack. The full extent of how these printers are getting infected and spreading the Raspberry Robin LNK files is still yet to be revealed.
Detection Opportunities: Infection Chain
The full infection chain of Raspberry Robin has been explained well many vendors over the last year and it has not changed much since it first emerged. The reports mentioned above, particularly by Cisco and Cybereason, as well as the original RedCanary blog, are all worth making notes from to detect and stop this threat.
From reading all these reports, I found that the most simple way to detect Raspberry Robin using Splunk SPL log searching rules specifically was the following:
- 1) FileName=cmd.exe AND LinkName IN ("*D:\\USB*", ".lnk")
- 2) CommandLine=msiexec AND CommandLine=*:8080*
Detection Opportunities: The Botnet
The C2 network is made up of compromised Internet-of-Things (IoT) devices, namely network attached storage (NAS) systems with hijacked DNS settings. The majority of Raspberry Robin C2 servers are QNAP or Acrobox systems exposed to the internet. The image below is a common sight when you're investigating Raspberry Robin. These are some IOCs I came across earlier in April 2023 and also tweeted.
Indicators of Compromise
For my threat research with the Equinix Threat Analysis Center (ETAC), I did my own investigation into Raspberry Robin USB malware submissions to VirusTotal using the YARA Live Hunt feature. I created a simple YARA rule (available below via a GitHub Gist) using all the C2 domains I could find related to Raspberry Robin, which was around 270. Then any time a user submitted a sample to VirusTotal with any of the C2 domains embedded, I would get an email alert. Doing this all through April 2023, it uncovered all the samples of Raspberry Robin listed on the table below.
By checking the submitter IDs and countries where the samples were uploaded from, I could then create the map that is the title image of this blog. In less than one month, the USB malware was detected around the world, from APAC, to EMEA, to AMER. A truly global malware campaign to keep an eye on.
|First Seen||Indicator - SHA256||FileName||Embedded Domain|
Raspberry Robin C2 Domain YARA Rule