Raspberry Robin Worm Deploys Fake Malware to Evade Detection

The Raspberry Robin malware has adopted a new tactic to avoid detection and confuse cybersecurity experts, especially when running in sandbox environments or when debugging tools are detected. According to Trend Micro specialists, the malware now uses fake payloads to mislead researchers.

Raspberry Robin is a dropper with worm-like capabilities. Its creators sell access to compromised networks to ransomware groups and operators of other malware. Previously, experts linked Raspberry Robin to hacker groups such as FIN11 and Clop, as well as to the distribution of payloads like Bumblebee, IcedID, and TrueBot.

The malware was first discovered by analysts at Red Canary. Earlier this year, it was revealed that Raspberry Robin spreads via USB drives, infecting devices when a user clicks on a .LNK file. The malware has been active since at least September 2021. The cybersecurity company Sekoia also observed that, as early as November of last year, the malware used Qnap NAS devices as command-and-control servers.

It was previously noted that Raspberry Robin is heavily obfuscated to protect its code from antivirus software and researchers, featuring multiple layers with hardcoded values for decrypting the next stage.

Adaptive Payloads and Advanced Evasion Techniques

Trend Micro researchers now report that Raspberry Robin has started using different payloads depending on how it is launched on a device. If the malware detects it is running in a sandbox or is being analyzed, the loader drops a fake payload. If nothing suspicious is detected, the real Raspberry Robin malware is executed.

The fake payload consists of two additional layers: shellcode with an embedded PE file, and a PE file with a removed MZ header and PE signature. After execution, it examines the Windows registry for signs of infection and then collects basic system information.

Next, the fake payload attempts to download and run the adware BrowserAssistant, making researchers believe this is the final payload. In reality, on genuinely infected systems that do not arouse suspicion, the real Raspberry Robin payload is delivered, which includes a customized Tor client for communication. Trend Micro’s report emphasizes that even with the use of fake payloads as a decoy, the real payload is still packed with ten layers of obfuscation, making analysis extremely difficult.

Additionally, when launched, the real payload checks if the user has administrator rights. If not, it uses the ucmDccwCOMMethod technique in UACMe to escalate privileges. The malware also modifies the registry to maintain persistence across reboots, using two different methods depending on whether the user has admin rights or not.

Communication and Propagation

After these steps, the malware attempts to connect to hardcoded Tor addresses and establishes a communication channel with its operators. The Tor client process uses names that mimic standard Windows system files, including dllhost.exe, regsvr32.exe, and rundll32.exe.

Notably, the main procedures are executed within Session 0, a specialized session reserved by Windows exclusively for services and applications that do not need or should not interact with the user.

Raspberry Robin also continues to copy itself to any connected USB drives to infect other systems. Researchers believe that the current campaign is more of a reconnaissance operation and an attempt to test the effectiveness of new mechanisms, rather than the initial stage of real attacks.