Raspberry Robin Analysis

Nov. 20, 2024, 9:29 a.m.

Description

Raspberry Robin, a malicious downloader discovered in 2021, has been circulating for years, primarily spreading through infected USB devices. It stands out due to its unique binary-obfuscation techniques, extensive use of anti-analysis methods, and privilege escalation exploits. The malware uses multiple code layers, each employing various obfuscation techniques. It communicates with command-and-control servers via the TOR network and can propagate through networks. Raspberry Robin employs numerous anti-analysis and evasion methods, including CPU performance checks, Windows API manipulations, and registry modifications. It uses UAC-bypass methods and local privilege escalation exploits to elevate privileges. The malware's primary goal is to download and execute payloads on compromised hosts, collecting extensive system information before requesting the payload.

External References

https://www.zscaler.com/blogs/security-research/unraveling-raspberry-robin-s-layers-analyzing-obfuscation-techniques-and
https://otx.alienvault.com/pulse/673d0a2a7c47319a87f3e253
Tags
obfuscation
privilege-escalation
anti-analysis
tor
2024-11-19
raspberry robin
usb-spreading
network-propagation
CVE-2024-26229
CVE-2021-31969

Date

  • Created: Nov. 19, 2024, 9:59 p.m.
  • Published: Nov. 19, 2024, 9:59 p.m.
  • Modified: Nov. 20, 2024, 9:29 a.m.

Indicators

  • 852ce7c57c68243a1189db61e750056041bed3802f2c48dcee4cfc189b4e4949
  • 5b8043e178373d4b732c6bf1013173b9f9a1f30269996392da367547d6a4a70f
  • 0632a600bd59a0fab86fd199a041b1d159162ae1d8d7ad62150270257bd9bc8b
  • 240.0.0.0/4
  • 224.0.0.0/4
  • 127.0.0.0/8
  • https://yebmhucezgghpzwvgqi5y2djfufgtrwcbbta547oaxw5kzi6sa2hopad.onion:3054/
  • https://xbeopilgchtzd5u7yu36jlsp5cfgaqeuxkaon7yjle7lrtb3abi476id.onion:29454/
  • https://wwbshp6hgnvtqwtbychvrchldbwifnf7djlpnuvf45dgn5up7w4xqqqd.onion:43728/
  • https://wdmr4ow76xfig5rgffnufdu7o4abkowc7keqeaiq7fkrxofwsue5wtyd.onion:60499/
  • https://vwmnexb2eiaencaw64hcrvv7tucksas6qbms5acpa222m2c5wigq3syd.onion:22567/
  • https://vt6r47ek7oi2svzj2s4pguogzwumlulju4zkdf6nh7xnkugylxuy7tad.onion:23133/
  • https://vor57f3yvqw3ddq4o3gkzkqdvczenmf5isiyb7vp7tc7xiokrjxxzcqd.onion:30408/
  • https://vkz4q4hufi2ekksnwo2op4e5dgj7vatip2nvwmo2vsodmuau46yxmyyd.onion:37379/
  • https://vf4ucetbu7qcy3p3d7ayntpzhjo3fzlaszu3y4wzhq642hdw2ptxn7yd.onion:20898/
  • https://vbtzr7t7y7pxduueznc4mntv2zgrt66m4zvore5jahma2s7do7kguead.onion:14099/
  • https://uup6i2g2uhsmsts6t4h5s652hficknfnpzs662x2q3iym5ddninyemad.onion:38869/
  • https://twlittqpz6hslkwrwaczn6b55jb4iz46erykvrnzhlyfssnk5uwwlmyd.onion:44045/
  • https://tnpiydtimuugdaixsyuew4nofzggjdsyyo3ctw2uzi4drll4axm3diyd.onion:38584/
  • https://srssvp2lk3vnwttncfxogitwrdo5y7nljcj6razz3ghjqdpxp4x2m2yd.onion:16259/
  • https://sj5ud3jiqkp47zza57xvrpno5tw6nrvxbxzvgn4k2fmyzzprhf6jxxid.onion:46597/
  • https://sj3jle6rfggaumbex4fqhb63vj7so5sy6e7wlgrlmayk3pmhtmgtwfid.onion:48986/
  • https://s626jyykfd2vpeel7rswnlmwsjcumjgwsw2hdo3shphtih64ayu7n6yd.onion:57739/
  • https://s26a7zwwxapsmm3hi3awsz7cd5mjwxhl3gd6bplhiwvekm4hys2u32qd.onion:10429/
  • https://rucaoeomop3yeepq5iyawcxjjt6x3tah5flbai2fewotjwomf6xqvxqd.onion:8314/
  • https://rabwadnfs35sjfmrvka7vras7hj3s22aixx72da5x3zbsnk3cxxo77qd.onion:48151/
  • https://qryejmh3imdjrvns2rbncl3gfw5a2etzwktm2uplavp7jn4stw3lbwqd.onion:26196/
  • https://purcdflu3cqzjfc3rwzr2jxz2e6yiaiks4ej2sn4t4hux2lnksfe3dqd.onion:17141/
  • https://odvrlneiow77fspjz4lrj425jo7fmd5cv4q3iasjcqwe35ybei7wabyd.onion:43303/
  • https://nxwhpmhofmoglbaq66de3bl3hp5x5y6d7cnwhldjzdex4dokchzeqlad.onion:25785/
  • https://nuco75srh4vta5zglxcp4ziabljitvr5yfeqcnwzdauufkzo3hd2w3qd.onion:35495/
  • https://l234audkv4np4z7ifp2apoven7hzbyjrfvteoh6fvjarc6cd6vxfe4ad.onion:48212/
  • https://kvlrfiowwiwft7od7mlbdcxouuozm56dqv4uyhfcdbabqydv3htolvid.onion:26783/
  • https://kqt3ukq3rrodfxd7ce75rboussy6slxdprzcierd65oq26ddgpelyqid.onion:14927/
  • https://kohtbl3ucs6xvqosbxd7dnfh5y3ag6tjix3bdflz4p5dw4g3g62oygid.onion:55616/
  • https://knrkrkipiff7vxymch6t54b2n2wnizt6baqsbp24zyfmaggstjwpb6id.onion:11844/
  • https://j6ra6hqk7cssp5fazkwlltqdfbgl3azhktccc2hefoco46p4qhvgcgid.onion:35543/
  • https://j62wwivnsntjporvag3u3xc3rfrqio25a7lhxamgfnjd7kdnhpnu7eqd.onion:26622/
  • https://gqqw74q2ig2vfnrwhm6ulxe2ipzieckpiozjufvhhsxoidy5wjq2bmqd.onion:23899/
  • https://fthappkft575kd4snugjnqg7nbk5noxd7jnyvprulecbadzjkpszclyd.onion:52134/
  • https://fnnkuvyleutbgw65bedvueiflhytyds5fu6vxeg56ihr5qu6getug7ad.onion:18678/
  • https://exmd723nzabqwzd2iq3yjcqsavz6o65vxyl465vedfiiaefdjv3oiwyd.onion:44004/
  • https://e6f6ex6jdvwjv5453eeakpxa5l3fz255zmfpgtw7oxynepfm334725id.onion:15328/
  • https://dy4upangcmvzpx56we77keuhvtta2734w2upg3nuloqyxlhmipt63fid.onion:49716/
  • https://dqgpc53vh2rzagqolhyesfwhtnivr7l7gl745vy3wzzdpzca4epoy6qd.onion:55452/
  • https://cr5rnanscwakq3amo5nvdl4kdkhgbxv37aaqbqmmtjt6ufkwtke7suid.onion:35724/
  • https://cpxqqmy3xerxafsupnj2ucccgxnbbjujf5rfrvxdlkqxczidfz5rloyd.onion:36428/
  • https://bcxed2rymdhu7s2tec2xjtscfaqdvdyqxtasif6ym5epuyxddcrjncid.onion:42332/
  • https://b5z6wlu5427v5dyw3ax3agclku7gmtmnwiepjif3w6styzifcnl6vfqd.onion:13811/
  • https://ayah2jmok6u7eo6rtksfaxo6zcz6cgjpwnxtdo66jolz26ymaq6ssfid.onion:44844/
  • https://aonw5ldru6t4xwwl4ifzonaggkm7gcpegiyaccryzh64yzks3fkabiyd.onion:47210/
  • https://7bbkpvrpatpzrreu36bzemj7fejgglqqzwdn4avgvpf67zwqpzc44vqd.onion:55965/
  • https://7oqgixcydaoxc3ayv6raiufxmwpd22oeo56rbitbyv7ndmjqhsl5m7qd.onion:22408/
  • https://6x6k5kgzgtajkimxkto4m6eqcxfhcxirlwwtfsjd3ilwqfp5ovnyu2id.onion:36112/
  • https://6uhcvcp6hm2rvajmsrqhi6q5kgel2vwencjvnxouwv7a7erbwydjx6id.onion:4615/
  • https://6s75xlg3auzdnccos4re4hrmcxyg6fivxsqm3cldv2gowl2engljtqyd.onion:58212/
  • https://6praos6qyi3b5kcurfqe4kyh5ihu4k3z6mjbggkixnfyhbpomy5szoad.onion:4123/
  • https://6kykjg6h7sjqru5puc57mb2nhd2bwhtewdswnsg4rlr3rw6t4iqrpgyd.onion:13392/
  • https://6agzykvu3rjnwpdnky777ffxb5dj4fiemftho4tsoeakp2xa542pj7id.onion:34024/
  • https://64iahnunyhf6ph6qvakjp22a3j6wlvl4sdmbh6elwri6up5gpnm7xkyd.onion:33960/
  • https://5bqxmurmtkqlzis65uu22aspcuhivb6vpzpcpma5wfl5ngz2ha6oxzqd.onion:18231/
  • https://4rnzfvzybry65auecpi3n67c6ynuunvs77qpk45svyhhsj6oisibk3qd.onion:39567/
  • https://4jtsmu3u4yrbehjf4rzfwsswhpc7ohs4nrfnlfu3xebteeaf4uv3okyd.onion:37151/
  • https://3zs4zdszo3lesutdbuenzvlspuh6wljj6eyntv73dxxig3bk2wcskrad.onion:15842/
  • https://3bh22ezbxub3dopbqja7jjymdussvwgl3eu4xzlsdyagtnhzxy3tr3id.onion:3367/
  • https://2pxsdtxngssu3vqqujdfgu4bsmlkp3d2ytctawznlhhez6tq57wzpzqd.onion:55314/
  • yebmhucezgghpzwvgqi5y2djfufgtrwcbbta547oaxw5kzi6sa2hopad.onion
  • xbeopilgchtzd5u7yu36jlsp5cfgaqeuxkaon7yjle7lrtb3abi476id.onion
  • wwbshp6hgnvtqwtbychvrchldbwifnf7djlpnuvf45dgn5up7w4xqqqd.onion
  • wdmr4ow76xfig5rgffnufdu7o4abkowc7keqeaiq7fkrxofwsue5wtyd.onion
  • vwmnexb2eiaencaw64hcrvv7tucksas6qbms5acpa222m2c5wigq3syd.onion
  • vt6r47ek7oi2svzj2s4pguogzwumlulju4zkdf6nh7xnkugylxuy7tad.onion
  • vor57f3yvqw3ddq4o3gkzkqdvczenmf5isiyb7vp7tc7xiokrjxxzcqd.onion
  • vkz4q4hufi2ekksnwo2op4e5dgj7vatip2nvwmo2vsodmuau46yxmyyd.onion
  • vf4ucetbu7qcy3p3d7ayntpzhjo3fzlaszu3y4wzhq642hdw2ptxn7yd.onion
  • vbtzr7t7y7pxduueznc4mntv2zgrt66m4zvore5jahma2s7do7kguead.onion
  • uup6i2g2uhsmsts6t4h5s652hficknfnpzs662x2q3iym5ddninyemad.onion
  • twlittqpz6hslkwrwaczn6b55jb4iz46erykvrnzhlyfssnk5uwwlmyd.onion
  • tnpiydtimuugdaixsyuew4nofzggjdsyyo3ctw2uzi4drll4axm3diyd.onion
  • srssvp2lk3vnwttncfxogitwrdo5y7nljcj6razz3ghjqdpxp4x2m2yd.onion
  • sj5ud3jiqkp47zza57xvrpno5tw6nrvxbxzvgn4k2fmyzzprhf6jxxid.onion
  • sj3jle6rfggaumbex4fqhb63vj7so5sy6e7wlgrlmayk3pmhtmgtwfid.onion
  • s626jyykfd2vpeel7rswnlmwsjcumjgwsw2hdo3shphtih64ayu7n6yd.onion
  • s26a7zwwxapsmm3hi3awsz7cd5mjwxhl3gd6bplhiwvekm4hys2u32qd.onion
  • rabwadnfs35sjfmrvka7vras7hj3s22aixx72da5x3zbsnk3cxxo77qd.onion
  • rucaoeomop3yeepq5iyawcxjjt6x3tah5flbai2fewotjwomf6xqvxqd.onion
  • qryejmh3imdjrvns2rbncl3gfw5a2etzwktm2uplavp7jn4stw3lbwqd.onion
  • purcdflu3cqzjfc3rwzr2jxz2e6yiaiks4ej2sn4t4hux2lnksfe3dqd.onion
  • odvrlneiow77fspjz4lrj425jo7fmd5cv4q3iasjcqwe35ybei7wabyd.onion
  • nxwhpmhofmoglbaq66de3bl3hp5x5y6d7cnwhldjzdex4dokchzeqlad.onion
  • nuco75srh4vta5zglxcp4ziabljitvr5yfeqcnwzdauufkzo3hd2w3qd.onion
  • l234audkv4np4z7ifp2apoven7hzbyjrfvteoh6fvjarc6cd6vxfe4ad.onion
  • kvlrfiowwiwft7od7mlbdcxouuozm56dqv4uyhfcdbabqydv3htolvid.onion
  • kqt3ukq3rrodfxd7ce75rboussy6slxdprzcierd65oq26ddgpelyqid.onion
  • kohtbl3ucs6xvqosbxd7dnfh5y3ag6tjix3bdflz4p5dw4g3g62oygid.onion
  • knrkrkipiff7vxymch6t54b2n2wnizt6baqsbp24zyfmaggstjwpb6id.onion
  • j6ra6hqk7cssp5fazkwlltqdfbgl3azhktccc2hefoco46p4qhvgcgid.onion
  • j62wwivnsntjporvag3u3xc3rfrqio25a7lhxamgfnjd7kdnhpnu7eqd.onion
  • gqqw74q2ig2vfnrwhm6ulxe2ipzieckpiozjufvhhsxoidy5wjq2bmqd.onion
  • fthappkft575kd4snugjnqg7nbk5noxd7jnyvprulecbadzjkpszclyd.onion
  • fnnkuvyleutbgw65bedvueiflhytyds5fu6vxeg56ihr5qu6getug7ad.onion
  • exmd723nzabqwzd2iq3yjcqsavz6o65vxyl465vedfiiaefdjv3oiwyd.onion
  • e6f6ex6jdvwjv5453eeakpxa5l3fz255zmfpgtw7oxynepfm334725id.onion
  • dy4upangcmvzpx56we77keuhvtta2734w2upg3nuloqyxlhmipt63fid.onion
  • dqgpc53vh2rzagqolhyesfwhtnivr7l7gl745vy3wzzdpzca4epoy6qd.onion
  • cr5rnanscwakq3amo5nvdl4kdkhgbxv37aaqbqmmtjt6ufkwtke7suid.onion
  • cpxqqmy3xerxafsupnj2ucccgxnbbjujf5rfrvxdlkqxczidfz5rloyd.onion
  • bcxed2rymdhu7s2tec2xjtscfaqdvdyqxtasif6ym5epuyxddcrjncid.onion
  • b5z6wlu5427v5dyw3ax3agclku7gmtmnwiepjif3w6styzifcnl6vfqd.onion
  • ayah2jmok6u7eo6rtksfaxo6zcz6cgjpwnxtdo66jolz26ymaq6ssfid.onion
  • aonw5ldru6t4xwwl4ifzonaggkm7gcpegiyaccryzh64yzks3fkabiyd.onion
  • 7oqgixcydaoxc3ayv6raiufxmwpd22oeo56rbitbyv7ndmjqhsl5m7qd.onion
  • 7bbkpvrpatpzrreu36bzemj7fejgglqqzwdn4avgvpf67zwqpzc44vqd.onion
  • 6x6k5kgzgtajkimxkto4m6eqcxfhcxirlwwtfsjd3ilwqfp5ovnyu2id.onion
  • 6uhcvcp6hm2rvajmsrqhi6q5kgel2vwencjvnxouwv7a7erbwydjx6id.onion
  • 6s75xlg3auzdnccos4re4hrmcxyg6fivxsqm3cldv2gowl2engljtqyd.onion
  • 6praos6qyi3b5kcurfqe4kyh5ihu4k3z6mjbggkixnfyhbpomy5szoad.onion
  • 6kykjg6h7sjqru5puc57mb2nhd2bwhtewdswnsg4rlr3rw6t4iqrpgyd.onion
  • 6agzykvu3rjnwpdnky777ffxb5dj4fiemftho4tsoeakp2xa542pj7id.onion
  • 64iahnunyhf6ph6qvakjp22a3j6wlvl4sdmbh6elwri6up5gpnm7xkyd.onion
  • 5bqxmurmtkqlzis65uu22aspcuhivb6vpzpcpma5wfl5ngz2ha6oxzqd.onion
  • 4rnzfvzybry65auecpi3n67c6ynuunvs77qpk45svyhhsj6oisibk3qd.onion
  • 4jtsmu3u4yrbehjf4rzfwsswhpc7ohs4nrfnlfu3xebteeaf4uv3okyd.onion
  • 3zs4zdszo3lesutdbuenzvlspuh6wljj6eyntv73dxxig3bk2wcskrad.onion
  • 3bh22ezbxub3dopbqja7jjymdussvwgl3eu4xzlsdyagtnhzxy3tr3id.onion
  • 2pxsdtxngssu3vqqujdfgu4bsmlkp3d2ytctawznlhhez6tq57wzpzqd.onion
Download all indicators here!

Attack Patterns

  • Bumblebee - S1039
  • Raspberry Robin
  • T1134.005
  • T1027.003
  • T1027.001
  • T1078.001
  • T1497.003
  • T1548.002
  • T1497.002
  • T1055.012
  • T1027.002
  • T1055.002
  • T1497.001
  • T1548
  • T1027.005
  • T1497
  • T1218
  • T1055
  • T1134
  • T1140
  • T1027
  • T1078
  • CVE-2021-31969
  • CVE-2024-26229