Raspberry Robin Worm

Financial and insurance sectors in Europe have been targeted by the Raspberry Robin worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar.

"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday.

The intrusions, observed against Spanish and Portuguese-speaking organizations, are notable for collecting more victim machine data than previously documented, with the malware now exhibiting sophisticated techniques to resist analysis.

Raspberry Robin, also called QNAP worm, is being used by several threat actors as a means to gain a foothold into target networks. Spread via infected USB drives and other methods, the framework has been recently put to use in attacks aimed at telecom and government sectors.


Microsoft is tracking the operators of Raspberry Robin under the moniker DEV-0856.

Security Joes' forensic investigation into one such attack has revealed the use of a 7-Zip file, which is downloaded from the victim's browser via social engineering and contains an MSI installer file designed to drop multiple modules.

Raspberry Robin Worm

In another instance, a ZIP file is said to have been downloaded by the victim through a fraudulent ad hosted on a domain that's known to distribute adware.

The archive file, stored in a Discord server, contains encoded JavaScript code that, upon execution, drops a downloader that's protected with numerous layers of obfuscation and encryption to evade detection.

The shellcode downloader is primarily engineered to fetch additional executables, but it has also seen significant upgrades that enables it to profile its victims to deliver appropriate payloads, in some cases even resorting to a form of trickery by serving fake malware.


This involves collecting the host's Universally Unique Identifier (UUID), processor name, attached display devices, and the number of minutes that have elapsed since system startup, along with the hostname and username information that was gathered by older versions of the malware.

The reconnaissance data is then encrypted using a hard-coded key and transmitted to a command-and-control (C2) server, which responds back with a Windows binary that's eventually executed on the machine.

"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plaintext username and hostname, now has a robust RC4 encrypted payload," threat researcher Felipe Duarte said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.