Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files

Cybersecurity researchers have discovered a new Raspberry Robin campaign wave that propagates the malware through malicious Windows Script Files (WSFs) since March 2024.

“Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors,” HP Wolf Security researcher Patrick Schläpfer said in a report shared with The Hacker News.

Raspberry Robin, also called QNAP worm, was first spotted in September 2021 that has since evolved into a downloader for various other payloads in recent years, such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and also serving as a precursor for ransomware.

While the malware was initially distributed by means of USB devices containing LNK files that retrieved the payload from a compromised QNAP device, it has since adopted other methods such as social engineering and malvertising.

It’s attributed to an emerging threat cluster tracked by Microsoft as Storm-0856, which has links to the broader cybercrime ecosystem comprising groups like Evil Corp, Silence, and TA505.

The latest distribution vector entails the use of WSF files that are offered for download via various domains and subdomains.

It’s currently not clear how the attackers are directing victims to these URLs, although it’s suspected that it could be either via spam or malvertising campaigns.

The heavily obfuscated WSF file functions as a downloader to retrieve the main DLL payload from a remote server using the curl command, but not before a series of anti-analysis and anti-virtual machine evaluations are carried out to determine if it’s being run in a virtualized environment.

It’s also designed to terminate the execution if the build number of the Windows operating system is lower than 17063 (which was released in December 2017) and if the list of running processes includes antivirus processes associated with Avast, Avira, Bitdefender, Check Point, ESET, and Kaspersky.

What’s more, it configures Microsoft Defender Antivirus exclusion rules in an effort to sidestep detection by adding the entire main drive to the exclusion list and preventing it from being scanned.

“The scripts itself are currently not classified as malicious by any an-virus scanners on VirusTotal, demonstrating the evasiveness of the malware and the risk of it causing a serious infection with Raspberry Robin,” HP said.

“The WSF downloader is heavily obfuscated and uses many an-analysis techniques enabling the malware to evade detection and slow down analysis.”