New Raspberry Robin Malware Campaign Spreads via Malicious Windows Script Files (WSFs)

Malware Attack

Cybersecurity researchers have identified a fresh wave of the Raspberry Robin malware campaign, leveraging malicious Windows Script Files (WSFs) as its propagation method since March 2024.

Initially known for spreading through removable media like USB drives, Raspberry Robin, also referred to as the QNAP worm, has evolved into a downloader for various payloads over the years. These payloads include SocGholish, Cobalt Strike, IcedID, BumbleBee, TrueBot, and serve as a precursor to ransomware.

According to HP Wolf Security researcher Patrick Schläpfer, Raspberry Robin's distribution tactics have diversified beyond USB-based LNK files to include methods such as social engineering and malvertising.

Attributed to the Storm-0856 threat cluster tracked by Microsoft, Raspberry Robin has ties to larger cybercrime groups like Evil Corp, Silence, and TA505.

In the latest campaign, WSF files are used for download via various domains and subdomains. While the exact method of directing victims to these URLs remains unclear, researchers suspect spam or malvertising campaigns as possible avenues.

The malicious WSF file, heavily obfuscated, acts as a downloader to fetch the main DLL payload from a remote server using the curl command. Before executing, the file conducts anti-analysis and anti-virtual machine checks to detect virtualized environments.

Moreover, the malware terminates execution if the Windows operating system build number is below 17063 (released in December 2017) and detects antivirus processes associated with Avast, Avira, Bitdefender, Check Point, ESET, and Kaspersky.

To evade detection further, the malware configures Microsoft Defender Antivirus exclusion rules by adding the main drive to the exclusion list, preventing scanning.

HP noted that the WSF downloader remains undetected by antivirus scanners on VirusTotal, highlighting its evasive nature and potential for serious infections.

"The heavily obfuscated WSF downloader employs multiple anti-analysis techniques, allowing the malware to evade detection and impede analysis," HP emphasized.