In October 2022, Microsoft observed Raspberry Robin being used in post-compromise activity attributed to another actor, DEV-0950 (which overlaps with groups tracked publicly as FIN11\/TA505). From a Raspberry Robin infection, the DEV-0950 activity led to Cobalt Strike hands-on-keyboard compromises, sometimes with a Truebot infection observed in between the Raspberry Robin and Cobalt Strike stage. The activity culminated in deployments of the Clop ransomware. DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages.<\/p>\n
Given the interconnected nature of the cybercriminal economy<\/a>, it\u2019s possible that the actors behind these Raspberry Robin-related malware campaigns\u2014usually distributed through other means like malicious ads or email\u2014are paying the Raspberry Robin operators for malware installs.<\/p>\n Raspberry Robin attacks involve multi-stage intrusions, and its post-compromise activities require access to highly privileged credentials to cause widespread impact. Organizations can defend their networks from this threat by having security solutions like Microsoft Defender for Endpoint<\/a> and Microsoft Defender Antivirus, which is built into Windows, to help detect Raspberry Robin and its follow-on activities, and by applying best practices related to credential hygiene, network segmentation, and attack surface reduction.<\/p>\n In this blog, we share our detailed analysis of these attacks and shed light on Raspberry Robin\u2019s origins, since its earliest identified activity in September 2021, and motivations which have been debated since it was first reported in May 2022. We also provide mitigation guidance and other recommendations defenders can use to limit this malware\u2019s spread and impact from follow-on hands-on-keyboard attacks.<\/p>\n In early May 2022, Red Canary reported that a new worm named Raspberry Robin was spreading to Windows systems through infected USB drives. The USB drive contains a Windows shortcut (LNK) file disguised as a folder. In earlier infections, this file used a generic file name like recovery.lnk<\/em>, but in more recent ones, it uses brands of USB drives. It should be noted that USB-worming malware isn\u2019t new, and many organizations no longer track these as a top threat. <\/p>\n For an attack relying on a USB drive to run malware upon insertion, the targeted system\u2019s autorun.inf<\/em> must be edited or configured to specify which code to start when the drive is plugged in. Autorun of removable media is disabled on Windows by default. However, many organizations have widely enabled it through legacy Group Policy changes.<\/p>\n There has been much public debate about whether the Raspberry Robin drives use autoruns to launch or if it relies purely on social engineering to encourage users to click the LNK file. Microsoft Threat Intelligence Center (MSTIC) and Microsoft Detection and Response Team (DART) research has confirmed that both instances exist in observed attacks. Some Raspberry Robin drives only have the LNK and executable files, while drives from earlier infections have a configured autorun.inf<\/em>. This change could be linked to why the names of the shortcut files changed from more generic names to brand names of USB drives, possibly encouraging a user to execute the LNK file.<\/p>\n Upon insertion of the infected drive or launching of the LNK file, the UserAssist registry key in Windows\u2014where Windows Explorer maintains a list of launched programs\u2014is updated with a new value indicating a program was launched by Windows. <\/p>\n The UserAssist key stores the names of launched programs in ROT13-ciphered format, which means that every letter in the name of the program is replaced with the 13th<\/sup> letter in the alphabet after it. This routine makes the entries in this registry key not immediately readable. The UserAssist key is a useful forensic artifact to demonstrate which applications were launched on Windows, as outlined in Red Canary\u2019s blog.<\/p>\n Windows shortcut files are mostly used to create an easy-to-find shortcut to launch a program, such as pinning a link to a user\u2019s browser on the taskbar. However, the format allows the launching of any code, and attackers often use LNK files to launch malicious scripts or run stored code remotely. Raspberry Robin\u2019s LNK file points to cmd.exe<\/em> to launch the Windows Installer service msiexec.exe<\/em> and install a malicious payload hosted on compromised QNAP network attached storage (NAS) devices.<\/p>\n Once the Raspberry Robin payload is running, it spawns additional processes by using system binaries such as rundll32.exe<\/em>, odbcconf.exe<\/em>, and control.exe<\/em> to use as living-off-the-land binaries (LOLBins) to run malicious code. Raspberry Robin also launches code via fodhelper.exe<\/em>, a system binary for managing optional features, as a user access control (UAC) bypass.<\/p>\n The malware injects into system processes including regsvr32.exe<\/em>, rundll32.exe<\/em>, and dllhost.exe <\/em>and connects to various command-and-control (C2) servers hosted on Tor nodes.<\/p>\n In most instances, Raspberry Robin persists by adding itself to the RunOnce<\/a> key of the registry hive associated with the user who executed the initial malware install. The registry key points to the Raspberry Robin binary, which has a random name and a random extension such as .mh <\/em>or .vdm <\/em>in the user\u2019s AppData<\/em> folder or to ProgramData<\/em>. The key uses the intended purpose of regsvr32.exe<\/em> to launch the portable executable (PE) file, allowing the randomized non-standard file extension to launch the executable content. <\/p>\n Entries in the RunOnce key delete the registry entry prior to launching the executable content at sign-in. Raspberry Robin re-adds this key once it is successfully running to ensure persistence. After the initial infection, this leads to RunOnce.exe<\/em> launching the malware payload in timelines. Raspberry Robin also temporarily renames the RunOnce key when writing to it to evade detections.<\/p>\n Since our initial analysis, Microsoft security researchers have discovered links between Raspberry Robin and other malware families. The Raspberry Robin implant has also started to distribute other malware families, which is not uncommon in the cybercriminal economy, where attackers purchase \u201cloads\u201d or installs from operators of successful and widespread malware to facilitate their goals.<\/p>\n On July 26, 2022, Microsoft witnessed the first reported instance of a Raspberry Robin-infected host deploying a FakeUpdates (also known as SocGholish) JavaScript backdoor. Previously, FakeUpdates were delivered primarily through drive-by downloads or malicious ads masquerading as browser updates. Microsoft tracks the activity group behind FakeUpdates as DEV-0206 and the USB-based Raspberry Robin infection operators as DEV-0856.<\/p>\n After discovering Raspberry Robin-deployed FakeUpdates, Microsoft security researchers continued monitoring for other previously unidentified methodologies in FakeUpdates deployments. Research into the various malware families dropped by Raspberry Robin\u2019s USB-delivered infections continued, and new signatures were created to track the various outer layers of packed malware under the family name Fauppod.<\/p>\n On July 27, 2022, Microsoft identified samples detected as Fauppod that have similar process trees with DLLs written by Raspberry Robin LNK infections in similar locations and using similar naming conventions. Their infection chains also dropped the FakeUpdates malware. However, the victim hosts where these samples were detected didn\u2019t have the traditional infection vector of an LNK file launched from an infected USB drive, as detailed in Red Canary\u2019s blog.<\/p>\n In this instance, Fauppod was delivered via codeload[.]github[.]com<\/em>, a fraudulent and malicious repository created by a cybercriminal actor that Microsoft tracks as DEV-0651. The payload was delivered as a ZIP archive file containing another ZIP file, which then had a massive (700MB) Control Panel (CPL) file inside. Attackers use nested containers such as ZIP, RAR, and ISO files to avoid having their malicious payloads stamped with Mark of the Web (MOTW), which Windows uses to mark files from the internet and thus enable security solutions to block certain actions. Control Panel files are similar to other PEs like EXE and DLL files.<\/p>\n Microsoft has since seen DEV-0651 deliver Fauppod samples by taking advantage of various public-facing trusted and legitimate cloud services beyond GitHub, including Azure, Discord, and SpiderOak. Refer to the indicators of compromise (IOCs)<\/a> below for more details. Microsoft has shared information about this threat activity and service abuse with these hosting providers.<\/p>\n With the discovery of the DEV-0651 link, Microsoft had two pieces of evidence suggesting a relationship between Fauppod and Raspberry Robin:<\/p>\n Following DEV-0651\u2019s previous leveraging of cloud hosting services, the earliest iteration of a DEV-0651-related campaign that Microsoft was able to identify occurred in September 2021, which was around the same time Red Canary stated Raspberry Robin began to propagate.<\/p>\n Based on these facts, Microsoft reached low-confidence assessment that the Fauppod malware samples were related to the later delivery of what was publicly known as Raspberry Robin and started investigating these links to raise confidence and discover more information.<\/p>\n While authoring both file-based and behavior-based detections for Fauppod samples, Microsoft utilized existing detections based on the use of OBDCCONF as a LOLBin to launch regsvr32<\/em> (which was also detailed in Red Canary\u2019s blog as a Raspberry Robin tactic, technique, and procedure (TTP)):<\/p>\n Microsoft noted a unique quality in the command execution that was persistent through all Raspberry Robin infections stemming from an infected USB drive: there was a trailing \u201c.\u201d character at the end of the DLL name within the command above.<\/p>\n While reviewing DEV-0651 Fauppod-delivered malware, Microsoft identified a Fauppod CPL sample served via GitHub when the following command is run:<\/p>\n Notable in the above Fauppod command are the following:<\/p>\n These findings raised Microsoft\u2019s confidence in assessing whether there is a connection between Fauppod\u2019s CPL files and Raspberry Robin extending beyond a similarity in outer layers and packing of the malware.<\/p>\n Microsoft security researchers also identified a payload within a Fauppod sample communicating with a compromised QNAP storage server to send information about the infected device, overlapping with Raspberry Robin\u2019s use of compromised QNAP appliances for C2.<\/p>\n While continuing to monitor the prevalence and infection sources of Fauppod, Microsoft identified a heavily obfuscated .NET malware (SHA-256: a9d5ec72fad42a197cbadcb1edc6811e3a8dd8c674df473fd8fa952ba0a23c15<\/a>) arriving on hosts that had previously been infected with either Raspberry Robin LNK infected hosts or Fauppod CPL malware.<\/p>\n While inspecting these samples, Microsoft noted that many were responsible for creating LNK files on external USB drives.<\/p>\n Based on our investigation, Microsoft currently assesses with medium confidence that the above .NET DLLs delivered both by Raspberry Robin LNK infections and Fauppod CPL samples are responsible for spreading Raspberry Robin LNK files to USB drives. These LNK files, in turn, infect other hosts via the infection chain detailed in Red Canary\u2019s blog.<\/p>\n Microsoft also assesses with medium confidence that the Fauppod-packed CPL samples are currently the earliest known point in the attack chain for propagating Raspberry Robin infections to targets. Microsoft findings suggest that the Fauppod CPL entities, the obfuscated .NET LNK spreader modules they drop, the Raspberry Robin LNK files Red Canary documented, and the Raspberry Robin DLL files (or, Roshtyak, as per Avast) could all be considered as various components to the \u201cRaspberry Robin\u201d malware infection chain.<\/p>\n In July 2022, Microsoft found Raspberry Robin infections that led to hands-on-keyboard activity by DEV-0243. One of the earliest malware campaigns to bring notoriety to DEV-0243 was the Dridex banking trojan.<\/p>\n Code similarity between malware families is often used to demonstrate a link between families to a tracked actor. In IBM\u2019s blog post<\/a> published after we observed the Raspberry Robin and DEV-0243 connection, they highlighted several code similarities between the loader for the Raspberry Robin DLLs and the Dridex malware.<\/p>\n Microsoft\u2019s analysis of Fauppod samples also identified some Dridex filename testing features, which are used to avoid running in certain environments. Fauppod has similar functionality to avoid execution if it recognizes it\u2019s running as testapp.exe<\/em> or self.exe.<\/em> This code similarity has historically caused some Fauppod samples to trip Dridex detection alerts.<\/p>\n Given the previously documented relationship between Raspberry Robin and DEV-0206\/DEV-0243 (EvilCorp), this behavioral similarity in the initial vector for Raspberry Robin infections adds another piece of evidence to the connection between the development and propagation of Fauppod\/Raspberry Robin and DEV-0206\/DEV-0243.<\/p>\n Cybercriminal malware is an ever-present threat for most organizations today, taking advantage of common weaknesses in security strategies and using social engineering to trick users. Almost every organization risks encountering these threats, including Fauppod\/Raspberry Robin and FakeUpdates. Developing a robust protection and detection strategy and investing in credential hygiene, least privileges, and network segmentation are keys to preventing the impact of these complex and highly connected cybercriminal threats.<\/p>\n Raspberry Robin\u2019s infection chain is a confusing and complicated map of multiple infection points that can lead to many different outcomes, even in scenarios where two hosts are infected simultaneously. There are numerous components involved; differentiating them could be challenging as the attackers behind the threat have gone to extreme lengths to protect the malware at each stage with complex loading mechanisms. These attackers also hand off to other actors for some of the more impactful attack stages, such as ransomware deployment.<\/p>\n As of this writing, Microsoft is aware of at least four confirmed Raspberry Robin entry vectors. These entry points were linked to hands-on-keyboard actions by attackers, and they all led to intrusions where the end goal was likely deployment of ransomware.<\/p>\n Infections from Fauppod CPL files and the Raspberry Robin worm component have facilitated human-operated intrusions indicative of pre-ransomware activity. Based on the multiple infection stages and varied payloads, Microsoft assesses that DEV-0651\u2019s initial access vector, the various spreading techniques of the malicious components, and high infection numbers have provided an attractive distribution option for follow-on payloads.<\/p>\n Beginning on September 19, 2022, Microsoft identified Raspberry Robin worm infections deploying IcedID and\u2014later at other victims\u2014Bumblebee and TrueBot payloads. In October 2022, Microsoft researchers observed Raspberry Robin infections followed by Cobalt Strike activity from DEV-0950. This activity, which in some cases included a Truebot infection, eventually deployed the Clop ransomware.<\/p>\n Worms can be noisy and could lead to alert fatigue in security operations centers (SOCs). Such fatigue could lead to improper or untimely remediation, providing the worm operator ample opportunity to sell access to the affected network to other cybercriminals<\/a>.<\/p>\n While Raspberry Robin seemed to have no purpose when it was first discovered, it has evolved and is heading towards providing a potentially devastating impact on environments where it\u2019s still installed. Raspberry Robin will likely continue to develop and lead to more malware distribution and cybercriminal activity group relationships as its install footprint grows.<\/p>\n Microsoft Defender for Endpoint<\/a> and Microsoft Defender Antivirus detect Raspberry Robin and follow-on activities described in this blog. Defenders can also apply the following mitigations to reduce the impact of this threat:<\/p>\n Microsoft customers can turn on attack surface reduction rules<\/a> to prevent several of the infection vectors of this threat. Attack surface reduction rules, which any security administrator can configure, offer significant hardening against the worm. In observed attacks, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevent hands-on-keyboard activity:<\/p>\n Defenders can also refer to detection details and indicators or compromise in the following sections for more information about surfacing this threat.<\/p>\n Microsoft Defender Antivirus detects threat components as the following malware:<\/p>\n Configure Defender Antivirus scans<\/a> to include removable drives. The following command lets admins scan removable drives, such as flash drives, during a full scan using the Set-MpPreference cmdlet<\/a>:<\/p>\n If you specify a value of $False<\/em> or do not specify a value, Defender Antivirus scans removable drives during any type of scan. If you specify a value of $True<\/em>, Defender Antivirus doesn\u2019t scan removable drives during a full scan. Defender Antivirus can still scan removable drives during quick scans or custom scans.<\/p>\n Defender Antivirus also detects identified post-compromise payloads as the following malware:<\/p>\n Alerts with the following titles in the security center can indicate threat activity on your network:<\/p>\n Microsoft also clusters indicators related to the presence of the Raspberry Robin worm under DEV-0856. The following alert can indicate threat activity on your network:<\/p>\n The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and therefore are not monitored in the status cards provided with this report.<\/p>\n NOTE: These indicators should not be considered exhaustive for this observed activity.<\/p>\n Fauppod samples delivered by DEV-0651 via legitimate cloud services<\/strong><\/p>\nA new worm hatches: Raspberry Robin\u2019s initial propagation via USB drives<\/h2>\n
![\"This](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig-1-raspberryrobin-original-chain.png\")
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig-2-raspberryrobin-url-samples.png\")
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig-3f-raspberryrobin-runonce-1024x68.png\")
Raspberry Robin\u2019s connection to a larger malware ecosystem<\/h2>\n
![\"This](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig-4-infection-chain-1.png\")
Introducing Fauppod: Like FakeUpdates but without the fake updates<\/h3>\n
Connecting the dot(net malware)<\/h3>\n
\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig-5f-odbcconf-1024x109.png\")
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig-6f-fauppod-command-line-1024x89.png\")
\n
![\"](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig-7f-net-spreader-dll-1024x68.png\")
![\"This](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig-8-raspberryrobin-dnspy.png\")
The Fauppod-Dridex connection<\/h3>\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig-9-raspberryrobin-selfexe-880x1024.png\")
Raspberry Robin\u2019s future as part of the cybercriminal gig economy<\/h2>\n
Defending against Raspberry Robin infections<\/h2>\n
\n
Detection details<\/h2>\n
Microsoft Defender Antivirus<\/h3>\n
Set-MpPreference -DisableRemovableDriveScanning<\/pre>\n
Microsoft Defender for Endpoint<\/h3>\n
\n
\n
\n
Indicators of compromise (IOCs)<\/h2>\n