Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection and analysis by infiltrating systems primarily via USB drives, utilizing the TOR network for covert communication with its C2 servers. 

The malware’s multi-layered structure and extensive use of anti-analysis methods hinder security measures.

Raspberry Robin poses a significant threat by exploiting system vulnerabilities and propagating through networks, often serving as a conduit for deploying other malicious payloads like Bumblebee. 

It employs a multi-layered obfuscation technique to evade detection and begins with anti-analysis checks, including code emulation detection and write-combining techniques to identify virtual environments. 

Then it decompresses and decrypts subsequent layers, each with its own set of obfuscation methods.

If any anti-analysis check fails, a decoy payload is executed to divert attention from the malicious core.

The final layer, once decrypted, contains the core payload, which is typically a backdoor or information stealer.

The sixth layer of Raspberry Robin employs various anti-analysis techniques to evade detection, which checks for common analysis environments, virtual machines, and debuggers.

If any suspicious activity is detected, the layer executes a decoy payload. Otherwise, it decrypts and executes the final stage, marking the successful bypass in the Process Environment Block.

It leverages a multi-layered obfuscation approach to hinder analysis by employing advanced techniques like control flow flattening, bogus control flow, string encryption, and indirect calls. 

To further complicate the analysis, it incorporates complex key derivation and dependency chains, requiring the resolution of global variables and function parameters, where these layers of obfuscation make it challenging to reverse engineer the malware’s behavior and identify its malicious intent.

There are various techniques for persistence, propagation, and evasion, which employ registry manipulation, file system operations, and process injection to establish persistence. For propagation, it targets remote desktop sessions and network shares. 

To evade detection, it uses anti-debugging techniques, process hiding, and obfuscation, modifies system settings, and disables security features to hinder analysis. 

Legitimate tools like PsExec and PAExec propagate laterally within a network, generating self-extracting payloads using IExpress and executing them on compromised hosts. 

To elevate privileges, it employs various UAC bypass techniques and exploits, including CVE-2024-26229 and CVE-2021-31969, which also modify firewall rules and add exclusions to evade detection. 

The malware’s modular design and use of legitimate tools make it resilient and difficult to detect, while the TOR network for anonymous communication initially uses a legitimate onion domain to establish a secure channel. 

It then injects malicious code into a system process, using techniques like process hollowing and APC injection, which downloads and executes a payload and is encrypted and obfuscated to evade detection. 

According to Zscaler, it collects extensive system information, including network details, hardware specifications, and software installations, and sends it to a C2 server by modifying the initial executable file to generate a unique identifier for the infected host.

Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free