Raspberry Robin Malware Targets Telecom, Governments
We noted layers 3 and 5 as capable of anti-analysis techniques. Meanwhile, we found that not all layers have unique packers. The fourth and seventh layers are identical, as well as the tenth and thirteenth. The packing of the eighth and fourteenth layers are also similar. This repeated use of packers implies that the group is using a separate packing program. We are continuing with our analysis to see if this program is their own or if it is outsourced to other groups, as this technique can be indicative of the group’s future use of these same packers. It is also possible for these same packers to be replaced with variations in patterns.
On layer 8, the payload loader, the execution splits into two paths. If the malware detects that it is being analyzed, it loads the fake payload. Otherwise, it loads the real payload.
Fake payload
The fake payload has two layers, the first of which is a shellcode with an embedded PE file, while the second layer is a PE file with the MZ header and PE signature removed. The second layer is loaded by the first layer and jumps into it.
Upon execution, the second layer immediately creates a thread to where its main routine is located. It first attempts to read the registry value named “Active” at <HKEY_CURRENT_USERSOFTWAREMicrosoftMedia>. This serves as an infection marker. If the read fails, it proceeds to write the string value “1” into this registry value, then gathers system information: the computer name, current username, processor brand, and display device names. In some versions of the fake payload, the data is encrypted using RC4 with a hard-coded key. The system information is then appended to the URL http[:]//{IP address}:8080/. The full URL is then accessed, and a file is downloaded. In some versions of the malware, this downloaded file is also executed.
Analyzing other sample versions of the fake payload, we found that if the main routine is successful, it checks if the system is linked to a domain by checking the existence of the environment variable USERDNSDOMAIN. If this variable does not exist, it drops and executes an adware named BrowserAssistant to %User Temp%{random number}.exe, likely to make an analyst feel complacent about allegedly already finding the payload and therefore no longer needing to conduct further studies of the samples.
Real payload
The real payload is made up of three layers, with the third layer containing the actual payload binary packed twice. Within the real payload is an embedded custom Tor client designed to communicate with the real payload using shared memory.
Installation
Its method for checking whether the malware has been installed on the system involves checking if it is running in Session 0. Prior to Windows Vista, services were run in the session of the first user to log in to the system, which is called Session 0. However, from Windows Vista onward, Microsoft introduced a security enhancement called “Session 0 Isolation,” where Session 0 is now reserved for services and other non-interactive user applications.
With this security enhancement, the threat actor confirms whether the user profile is running on administrative privileges or not. If it is not in Session 0, it drops a copy of itself in <%ProgramData%{random folder name}{random file name}.{extension}> to elevate privileges, or <%ProgramData%Microsoft{random folder name}{random file name}.{extension}> if the user is running as an admin. In this manner, a security analyst would view the malicious routine as having been started and run by a legitimate Windows process, allowing the routine to evade detection.The extension name is randomly chosen among the following:
- .bak
- .dat
- .db
- .dmp
- .etl
- .idx
- .json
- .lkg
- .lock
- log
- .man
- .tmp
- txt
- .vdm
- .xml
- .xsd
It also sets the following registry entry to enable its automatic execution at system startup. If the user is not at an admin level, the malware modifies the registry with
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
{random value name} = “rundll32 shell32 ShellExec_RunDLLA REGSVR /u /s “{dropped copy path and file name}.””
Inversely, if the user’s profile is with admin privileges, the registry is modified with
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx{random key name}
{random value name} = “shell32|ShellExec_RunDLLA|REGSVR /u /s “{dropped copy path and file name}.””
Privilege escalation
After dropping a copy of itself, it executes the dropped copy as Administrator using a UAC (User Account Contorl) bypass technique. It implements a variation of the technique ucmDccwCOMMethod in UACMe, thereby abusing the built-in Windows AutoElevate backdoor.
It first checks whether atcuf32.dll, aswhook.dll, and avp.exe are loaded in the system. These files are from security defenders BitDefender, Avast, and Kaspersky, respectively. If one of these is loaded, it does not proceed to the UAC bypass routine. It then drops a shortcut file to <%User Temp%{random file name}.lnk> that contains the command line
rundll32.exe SHELL32,ShellExec_RunDLL “C:Windowssystem32ODBCCONF.EXE” /a {configsysdsn OCNKBENXGMI etba odjcnr} /A {installtranslator fxodi} -a {installdriver qmprmxf} /a {configsdn HHAP} regsvr “{dropped copy path and file name}.” /S /e -s
It then creates an elevated COM object for CMLuaUtil and uses it to set a custom display calibrator in the registry that points to the dropped LNK file. It sets the custom display calibrator by setting the registry value
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionICMCalibration
DisplayCalibrator = “%User Temp%{random file name}.lnk”
It then creates an elevated COM object for ColorDataProxy and calls its method “LaunchDccw” to load the calibrator, thus executing the malicious LNK. Afterward, it sets the registry value DisplayCalibrator to “%SystemRoot%System32DCCW.exe” to hide its activity.
Main routine
Running in Session 0, the real payload attempts to connect to the hard-coded Tor addresses, where the connections are made in another process. For the real payload to facilitate the exchange of information and the Tor-connecting process, a shared-named memory map is created with the following format: