A new wave of the Raspberry Robin malware campaign has been discovered, spreading through malicious Windows Script Files (WSFs) since March 2024. The malware, also known as QNAP worm, has evolved into a downloader for various other payloads and is linked to the broader cybercrime ecosystem. The latest distribution vector involves the use of heavily obfuscated WSF files offered for download via various domains and subdomains, with the malware employing anti-analysis and anti-virtual machine techniques to evade detection. Additionally, it configures Microsoft Defender Antivirus exclusion rules to avoid being scanned, posing a serious infection risk.
The Raspberry Robin malware has evolved to include one-day exploits targeting vulnerabilities in Windows systems, indicating that the malware operator has access to exploit code or sources. The malware has also implemented new evasion techniques and distribution methods, including the use of Discord to drop malicious files onto targets. Check Point reports an increase in Raspberry Robin's operations, with large attack waves targeting systems worldwide. The malware now leverages exploits for CVE-2023-36802 and CVE-2023-29360 to elevate privileges on infected devices, and it has added new evasion mechanisms to evade security tools and OS defenses. The malware's operators are likely connected to a developer that provides exploit code, and Check Point provides indicators of compromise for identifying Raspberry Robin.
