A new strain of the Raspberry Robin malware has emerged, utilizing malicious Windows Script Files (WSFs) as its propagation method since March 2024. Previously distributed through USB drives, this evolved campaign demonstrates adaptability by exploiting different initial infection vectors. Referred to as QNAP worm, Raspberry Robin has transformed into a downloader for various payloads including ransomware, exhibiting a complex evolution since its first detection in September 2021. Its latest distribution technique involves WSF files, strategically offered for download via various domains and subdomains, indicating a shift towards more sophisticated delivery methods.
Despite initial deployment via USB devices containing LNK files to retrieve payloads from compromised QNAP devices, the malware now employs social engineering and malvertising to ensnare victims. Associated with the Storm-0856 threat cluster tracked by Microsoft, Raspberry Robin has ties to prominent cybercrime groups such as Evil Corp, Silence, and TA505. The WSF files, heavily obfuscated to evade detection, function as downloaders fetching DLL payloads from remote servers, while employing anti-analysis and anti-virtual machine techniques to thwart detection and analysis.
To further evade detection, the malware terminates execution on Windows operating systems with build numbers lower than 17063, and if antivirus processes from major vendors like Avast, Avira, and Kaspersky are detected. Additionally, it manipulates Microsoft Defender Antivirus exclusion rules, adding the entire main drive to the exclusion list to prevent scanning. Despite its sophistication, the WSF downloader remains undetected by antivirus scanners on VirusTotal, highlighting the urgency for heightened cybersecurity measures to combat this evasive threat.
