Skip to content

Cybercriminals are using Windows Script Files to distribute Raspberry Robin

  • by
  • 3 min read

Illustration: Suttipun | Shutterstock

Raspberry Robin, a cybersecurity threat campaign initially spotted in 2021 targeting technology and manufacturing sectors, has undergone a notable shift in its propagation technique and is now relying on Windows Script Files (WSF) to disseminate its malicious payload.

This change signifies a strategic adaption by threat actors behind Raspberry Robin, showcasing their agility in evading detection and bypassing cybersecurity defences.

Unlike its earlier methods involving USB drivers and archive files, the malware’s latest iteration employs WSF, a format commonly used for automated tasks in Windows environments.

Using WSF introduces complexity through obfuscated scripts and advanced anti-analysis measures. These tactics challenge traditional security protocols, making it difficult for cybersecurity professionals to effectively detect and mitigate the threat.

Command downloading Raspberry Robin DLL to AppData folder. | Source: HP Threat Research Team

Upon infection, Raspberry Robin establishes communication with command and control (C2) servers via Tor, enabling the download and execution of additional malicious payloads. This functionality serves as a gateway for threat actors to deploy a range of malware families, including SocGholish, Cobalt Strike, IcedID, BumbleBee, and Truebot, and potentially act as a precursor to ransomware attacks.

As researchers delve deeper into the technical analysis of the WSF downloader, they discover intricate layers of obfuscation and evasion tactics. The script employs various techniques, such as junk characters and dynamic code flow, to obscure its true functionality and evade detection by antivirus solutions.

Source: HP Threat Research Team

Furthermore, the script implements anti-analysis measures by checking for virtualised environments, system properties, and the presence of antivirus software such as Avast, Avira, Check Point, Bitdefender, ESET and Kaspersky. These checks ensure that the malware executes only on genuine end-user devices, complicating static and dynamic analysis efforts.

The script’s integration with Windows Management Instrumentation (WMI) and manipulation of system processes add to its complexity, making it challenging for cybersecurity analysts to dissect its behaviour accurately.

” The WSF downloader is heavily obfuscated and uses many anti-analysis and anti-VM techniques, enabling the malware to evade detection and slow analysis. This is particularly concerning given that Raspberry Robin has been used as a precursor for human-operated ransomware. Countering this malware early on in its infection chain should be a high priority for security teams,” concluded the research.

In the News: Threat actors are using GitHub’s search to distribute malware

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>