Cybercrime
,
Fraud Management & Cybercrime
Malware Platform Operators Taket Steps to Obfuscate Code
Threat actors behind malware distribution platform Raspberry Robin worm have shifted tactics to make the malware harder to detect and for researchers to analyze.
See Also: H1 2024 – Phishing Frenzy: C-Suite Receives 42x More QR Code Attacks than Average Employee
The HP Threat Research team discovered that hackers deploying Raspberry Robin – often a precursor to a ransomware attack – now use Windows Script Files and only execute the final payload when the initial infection determines that it is running on a real device, rather than in a sandbox.
First disclosed in 2022 by Red Canary, Raspberry Robin is possibly a tool deployed by malware-as-a-service operators. Microsoft in late 2022 said the worm “is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods.” Among the malware families that Raspberry Robin has been a precursor to, according to HP: SocGholish, Cobalt Strike, IcedID, BumbleBee and Truebot.
Its initial infection vector was through USB drives, but it has branched out to other methods including malicious ads. At the beginning of this year, its operators used archive files downloaded by victims to infect computers. Now it’s using .wsf
files, HP says.
The file format allows developers to mix and match scripts such as JScript and VBScript, since the Windows Script Host built into the Windows operating system is able to execute code from multiple languages.
WSF files are commonly used by system administrators and developers to perform tasks such as file manipulation, system configuration, and network management. They can interact with system components, applications, and external resources, making them powerful tools for automating routine tasks and simplifying complex processes.
The threat actors’ WSF file, as of publication by HP, had a 0% detection rate on Virus Total. Should a human open the script file in a text editor, “most of the characters are unreadable.” Further analysis also reveals obfuscation techniques: “All functions and variables used are encoded and decoded via a function” and “the control flow of the program is also obfuscated.”
The script “also uses the classic method for identifying if the runtime environment is virtualized by checking the MAC address of the network card.”
To prevent scrutiny, the script self-deletes from disk and restarts with command line arguments if analyzed in a debugger. Functionally, it acts as a downloader, retrieving the Raspberry Robin DLL from the web and storing it locally, while evading detection by adding exceptions to antivirus scanning.
Ravisankar Ramprasad, a threat researcher at Menlo Security said Raspberry Robin operators are known for their ability to quickly exploit n-day vulnerabilities, particularly privilege escalation vulnerabilities affecting Windows systems.