Security researchers have raised concerns about threat actors using a modified version of the Raspberry Robin worm to covertly distribute malware using Windows Script Files (WSF).
Analysis from HP Wolf Security shows that the updated scripts used to load and spread malware on target systems are not currently classified as malicious by any of the antivirus scanners listed on VirusTotal.
As a result, the report's author, HP malware analyst Patrick Schläpfer, described this campaign as having grown “to become one of the most prevalent threats facing businesses” today.
Raspberry Robin is well known for its advanced obfuscation and anti-analysis capabilities, and has been widely used by hackers to bypass detection tools, trick sandboxes, and inhibit security professionals' ability to analyze the attack chain.
Raspberry Robin has traditionally spread via removable media, such as USB drives containing malicious Windows shortcut (.lnk) files, but the report also details other entry points for the worm.
Schläpfer added that since 2021, cybercriminals have also been recorded using archive archives (RAR) hosted on Discord, which contain an EXE and DLL file to upload the malicious payload.
Another attack vector detailed in the report involves 7-Zip (.7z) files downloaded using the target's web browser, which contain a malicious Windows Installer (.msi) package that infects the system with Raspberry Robin.
Finally, Schläpfer noted that threat actors are running malvertising campaigns with fake ads that download malicious ZIP files to Discord, eventually deploying the worm to the victim's device.
A deep dive into the FSM's 'undetectable' infection chain
The investigation focused on the most recent attack campaign, active since early March 2024, which revolves around the FSM infection method.
The WSF file format supports several scripting languages, including JScript and WBScript, used by Windows Script Host to mix different languages in a single file.
The format is widely used by administrators and in legitimate software to automate tasks or perform various actions on your computer, but it can also be abused by nefarious actors, according to the report.
The WSF files used in the attack were uploaded to several malicious domains controlled by the hackers, but Schläpfer was unable to identify how victims were lured to the dangerous URLs, speculating spam or a malvertising campaign.
The file contains the malicious script as well as long strings of “junk characters” used to try to hide the real threat. The script itself is also heavily obfuscated, where all functions and variables are encoded and decoded using an array.
These techniques, combined with greater obfuscation of the program's control flow, mean that the functionality of the script is not immediately obvious when inspected.
Initially, the malware creates a WScript shell object to interact with the operating system (OS), then performs a series of checks to ensure that it will not be detected and can successfully infect the system.
The script first checks to see if it is located somewhere it can be easily noticed, such as the user's desktop, and ends if so.
By creating a SWbemLocator object, this gives threat actors access to the Windows Management Instrumentation (WMI), allowing the script to perform a series of checks to ensure that the payload can be loaded onto the system.
The script uses a well-established method to determine if it is running in a virtual machine (VM) by checking the MAC address of the network card, attempting to detect any virtualization solutions such as Hyper-V, Oracle VM Server, or VMware. .
The final WMI check compares the running processes against a list of antivirus processes known to be used by scanners from security vendors, including Kaspersky, Avast, or Check Point.
If no third-party antivirus programs are detected, the script is likely running on an endpoint running Microsoft Defender, according to the report, and consequently the script adds an exception that excludes the primary drive from antivirus scanning.
After the VM detection stage is completed, the next stage involves a series of anti-analysis measures. Simple obfuscation techniques, such as using large amounts of unused code, make analysis more difficult and time-consuming.
Security analysts are prevented from speeding up their analysis by refactoring the script and removing unused code using variables inserted in the middle of dummy code snippets that, if removed, trigger script termination.
Once all these checks are complete, the script begins the process of delivering the Raspberry Robin worm to the system, downloading the DLL from the web using a curl command, and storing it in the local AppData folder.
This request is made through a cookie, rather than using a URL path, and means the web server can verify that the request came from the download script, reducing the chance of malware samples being leaked to researchers. .
The file extension is then changed to .dll and executed using msiexec, launching the Raspberry Robin malware, which undergoes its own series of anti-analysis and VM detection techniques until the effective payload is executed.
This final payload could vary, according to Schläpfer, but he cautioned that he would be especially concerned if this attack sequence was used to deliver ransomware, and urged security professionals to try to counter malware as early as possible in its infection chain to avoid compromises. .
“This is particularly concerning given that Raspberry Robin has been used as a precursor to human-operated ransomware. Countering this malware early in its infection chain should be a high priority for security teams.”
