Raspberry Robin is a malware that has been around for some time now and spreads via infected USB drives.
Here is what we have seen over the last 10 months. 🧵 1/12 #RaspberryRobin #malware
via @lazy_daemon
Here is what we have seen over the last 10 months. 🧵 1/12 #RaspberryRobin #malware
via @lazy_daemon
@sekoia_io and @redcanary have already published excellent technical analyses of this malware, so we won't go into more detail about it.
7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/…
redcanary.com/blog/raspberry…
🧵 2/12
7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/…
redcanary.com/blog/raspberry…
🧵 2/12
Since December, 2021, we've seen several cases mostly in Hungary🇭🇺 and Germany🇩🇪 but also a few in Russia🇷🇺 and India🇮🇳.
The user always clicked the malicious link, so no automatic infection when the USB drive was plugged in. 🧵 3/12
The user always clicked the malicious link, so no automatic infection when the USB drive was plugged in. 🧵 3/12
In many cases, we had a chance to talk to the affected user. Independently of each other, every user reported to have used the USB stick for printing in print/copy stores🖨️. 🧵 4/12
One user reported that the malicious shortcut was on the USB drive only after visiting the print store and not before.🤔 🧵5/12
In most of the observed cases, nothing much happened on the system after the infected USB drive was plugged in because the 2nd stage payload was no longer available under the malicious URL. 🧵 6/12
In very few cases, however, we have seen TOR communications, confirming what other researchers have also seen. However, there was no follow-up infection with another payload. 🧵 7/12
In one recent case, something interesting actually happened. Right after a successful Raspberry Robin infection, a malicious Javascript was executed which can be attributed to #SocGholish #FakeUpdates. 🧵 8/12 
@MsftSecIntel 👋 also reported about it recently so we are happy to confirm. ☺️ 🧵9/12
microsoft.com/security/blog/…
microsoft.com/security/blog/…
The experienced reader will have noticed that there are still many unresolved questions❓.
If victims are really infected via print stores, how are the print stores initially infected?
How do they infect the QNAP/SOHO routers to roll out their 2nd stage payload? 🧵 10/12
If victims are really infected via print stores, how are the print stores initially infected?
How do they infect the QNAP/SOHO routers to roll out their 2nd stage payload? 🧵 10/12
What does the heavily obfuscated DLL they drop do in detail?
What is the final goal of those campaigns?
We will continue to track🧐this actor and hope that the future will bring answers to these questions. 🧵11/12
What is the final goal of those campaigns?
We will continue to track🧐this actor and hope that the future will bring answers to these questions. 🧵11/12
IOCs: github.com/telekom-securi…
🧵 12/12
🧵 12/12
• • •
Missing some Tweet in this thread? You can try to
force a refresh
