Raspberry Robin Dupes Researchers With Fake and Real Payloads

What’s happening?

• From October to November, Raspberry Robin has targeted telecommunication service providers and government systems in Argentina, Australia, Mexico, Croatia, Italy, Brazil, France, India, and Colombia. 
• Experts suspect that the malware is just testing the waters by dropping both fake and real payloads, depending upon the infection environment.

Unraveling the ‘fake’ strategy

• The main malware routine contains both real and fake payloads. When the routine detects sandbox and analysis solutions, it loads the fake payload - an adware named BrowserAssistant.
• The fake payload features two additional layers. It attempts to read the Windows registry to find infection markers upon execution and further proceeds to gather basic system information. These steps are implemented to trick the analyst into believing this was the final payload.

The ‘real’ strategy

• It uses privilege escalation techniques to gain administrative privileges and drops a copy of itself in a system folder.
• Next, it uses a UAC bypass technique to execute the dropped files as administrator. 
• Once ready, the malware attempts to connect to the hard-coded Tor addresses to facilitate the exchange of information to its operators.

The takeaway

• Though the dynamics and objectives of operators behind Raspberry Robin are still not much clear, they are usually seen selling initial access to ransomware gangs and malware operators.
• Can it be said that the actors behind are planning something big? Nonetheless, Windows users must be vigilant about the USB drives that they choose to insert into their systems.