- Get these premium Sony Bravia home theater speakers for $500 off during Black Friday
- The best Black Friday soundbar and speaker deals: Save on Bose, Sonos, Beats, and more
- One of the best pool-cleaning robots I've tested is $450 off for Prime Day
- Apple's M2 MacBook Air is on sale for $749 for Black Friday
- I replaced my desktop with this MSI laptop for a week, and it surpassed my expectations
Raspberry Robin Distributed Through Windows Script Files
Threat actors distributing Raspberry Robin now use Windows Script Files (WSF) to spread the worm alongside other methods, such as USB drives.
HP Threat Research identified new campaigns starting in March 2024 in which Raspberry Robin was spread through highly obfuscated Windows Script Files, using anti-analysis techniques.
Raspberry Robin is a Windows worm first discovered in 2021. Initially, threat actors relying on the worm spread it to target hosts using removable media like USB drives.
Over the years, threat actors have used other attack vectors, including archive files (.rar, .zip) and malicious adverts, to deliver the worm.
In March, hackers started spreading it through Windows Script Files, a file type generally used by administrators and legitimate software to automate tasks within Windows.
They shared their findings in a report published on April 10, 2024.
Decoding Raspberry Robin’s WSF Distribution
The .wsf file format supports scripting languages, such as JScript and VBScript, that are interpreted by the Windows Script Host component built into the Windows operating system.
The Windows Script Files are offered for download via various malicious domains and subdomains controlled by the attackers.
Although it is unclear how threat actors lure users to the malicious URLs, HP threat researchers believe this could be via spam or malvertising campaigns.
The script file acts as a downloader and uses various anti-analysis and virtual machine (VM) detection techniques.
The final payload is only downloaded and executed when all these evaluation steps indicate that the malware is running on a real device, rather than in a sandbox.
The malware also checks for the following security software vendors:
- Kaspersky
- ESET
- Avast
- Avira
- Check Point
- Bitdefender
The researchers assessed that, at the time of analysis, no anti-virus scanners on VirusTotal classified those files as malicious, demonstrating the malware’s evasiveness.
“The WSF downloader is heavily obfuscated and uses many anti-analysis and anti-VM techniques, enabling the malware to evade detection and slow down analysis. This is particularly concerning given that Raspberry Robin has been used as a precursor for human-operated ransomware. Countering this malware early on in its infection chain should be a high priority for security teams,” the researchers concluded.