Raspberry Robin Distributed Through Windows Script Files

Written by

Threat actors distributing Raspberry Robin now use Windows Script Files (WSF) to spread the worm alongside other methods, such as USB drives.

HP Threat Research identified new campaigns starting in March 2024 in which Raspberry Robin was spread through highly obfuscated Windows Script Files, using anti-analysis techniques.

Raspberry Robin is a Windows worm first discovered in 2021. Initially, threat actors relying on the worm spread it to target hosts using removable media like USB drives.

Over the years, threat actors have used other attack vectors, including archive files (.rar, .zip) and malicious adverts, to deliver the worm.

In March, hackers started spreading it through Windows Script Files, a file type generally used by administrators and legitimate software to automate tasks within Windows.

They shared their findings in a report published on April 10, 2024.

Decoding Raspberry Robin’s WSF Distribution  

The .wsf file format supports scripting languages, such as JScript and VBScript, that are interpreted by the Windows Script Host component built into the Windows operating system.

The Windows Script Files are offered for download via various malicious domains and subdomains controlled by the attackers.

Although it is unclear how threat actors lure users to the malicious URLs, HP threat researchers believe this could be via spam or malvertising campaigns.

The script file acts as a downloader and uses various anti-analysis and virtual machine (VM) detection techniques.

The final payload is only downloaded and executed when all these evaluation steps indicate that the malware is running on a real device, rather than in a sandbox.

The malware also checks for the following security software vendors:

  • Kaspersky
  • ESET
  • Avast
  • Avira
  • Check Point
  • Bitdefender

The researchers assessed that, at the time of analysis, no anti-virus scanners on VirusTotal classified those files as malicious, demonstrating the malware's evasiveness.

Raspberry Robin WSF downloader with a 0% detection rate on VirusTotal. Source: HP Threat Research
Raspberry Robin WSF downloader with a 0% detection rate on VirusTotal. Source: HP Threat Research

“The WSF downloader is heavily obfuscated and uses many anti-analysis and anti-VM techniques, enabling the malware to evade detection and slow down analysis. This is particularly concerning given that Raspberry Robin has been used as a precursor for human-operated ransomware. Countering this malware early on in its infection chain should be a high priority for security teams,” the researchers concluded.

What’s hot on Infosecurity Magazine?