Security researchers have raised concerns about threat actors using a modified version of the Raspberry Robin worm to covertly distribute malware using Windows script files (WSF).
Analysis from HP Wolf Security shows the updated scripts being used to load and proliferate the malware on target systems are not currently classified as malicious by any of the antivirus scanners listed on VirusTotal.
As a result, the report’s author, HP malware analyst Patrick Schläpfer, described this campaign as having grown “to become one of the most prevalent threats facing enterprises” today.
Raspberry Robin is well known for its advanced obfuscation and anti-analysis capabilities, and has been widely used by hackers to get around detection tools, fool sandboxes, and inhibit security professionals’ ability to analyze the attack chain.
Traditionally, Raspberry Robin has been spread using removable media such as USB drives containing malicious Windows Shortcut Files (.lnk), but the report also details a number of other entry points for the worm.
Schläpfer added that, since 2021, cyber criminals have also been recorded using archive files (RAR) hosted on Discord, which contain an EXE and DLL file to load the malicious payload.
Another attack vector detailed in the report involves 7-Zip archive files (.7z) downloaded using the target’s web browser, which contains a malicious Windows Installer (.msi) package that infects the system with Raspberry Robin.
Finally, Schläpfer noted threat actors are conducting malvertising campaigns with fake adverts that download malicious ZIP files on Discord, eventually deploying the worm on the victim’s device.
A deep dive into the ‘undetectable’ WSF infection chain
The investigation focused on the most recent attack campaign, active since early March 2024, which hinges around the WSF infection method.
The WSF file format supports a number of scripting languages including JScript and WBScript, used by the Windows Script Host to mix different languages within a single file.
The format is widely used by administrators and in legitimate software to automate tasks or perform various actions on your computer, but can also be abused by nefarious actors, the report found.
WSF files used in the attack were uploaded to a number of malicious domains controlled by the hackers, but Schläpfer was unable to identify how victims were being lured to the dangerous URLs, speculating spam or a malvertising campaign.
Navigate the complex demands of security and network connectivity
The file contains the malicious script as well as long strings of ‘junk characters’ used to try and conceal the real threat. The script itself is heavily obfuscated too, where all functions and variables are encoded and decoded using an array.
These techniques, combined with further obfuscation of the control flow of the program means the script’s functionality is not immediately obvious when being inspected.
The malware initially creates a WScript shell object in order to interact with the operating system (OS), then performs a series of checks to ensure it won’t be detected and that it will be able to infect the system successfully.
The script first checks to see if the script is located somewhere it might be easily noticed, such as the user’s desktop, and terminates if so.
By creating an SWbemLocator object, this gives threat actors access to Windows Management Instrumentation (WMI), which allows the script to perform a number of checks to ensure the payload can be loaded onto the system.
The script uses a well-established method for working out if it is running on a Virtual Machine (VM) by checking the MAC address of the network card, trying to detect any virtualization solutions such as Hyper-V, Oracle VM Server, or VMware.
The final WMI check compares the running processes against a list of antivirus processes known to be used by scanners from security vendors including Kaspersky, Avast, or Check Point.
If there are no third-party antivirus programs detected, it is likely the script is running on an endpoint running Microsoft Defender, according to the report, and the script accordingly adds an exception that excludes the main drive from anti-virus scanning.
With the VM detection stage complete, the next stage involves a series of anti-analysis measures. Simple obfuscation techniques like using large amounts of unused code make analysis more difficult and time-consuming.
Security analysts are prevented from speeding up their analysis by refactoring the script and removing unused code using variables inserted in the middle of the dummy code snippets that, if deleted, trigger the termination of the script.
With all of these checks complete, the script begins the process of actually delivering the Raspberry Robin worm onto the system, downloading the DLL from the web using a curl command and storing it in the local AppData folder.
This request is carried out via a cookie, instead of using a URL path, and means the web server can verify the request came from the downloader script, reducing the chance samples of the malware are leaked to researchers.
The file’s extension is then changed to .dll and run using msiexec, initiating the Raspberry Robin malware, which undergoes its own series of anti-analysis and VM detection techniques until the effective payload is executed.
This final payload could vary, according to Schläpfer, but he warned that he would be especially worried about this attack sequence being used to deliver ransomware, urging security professionals to try and counter the malware as early as possible in its infection chain to avoid compromise.
“This is particularly concerning given that Raspberry Robin has been used as a precursor for human-operated ransomware. Countering this malware early on in its infection chain should be a high priority for security teams.”
