Potential Raspberry Robin Registry Set Internet Settings ZoneMap

    Monday, August 5, 2024 In: Threat Research Print

    Date: 08/05/2024

    Severity: Medium

    Summary

    The "Potential Raspberry Robin Registry Set Internet Settings ZoneMap" refers to a configuration found in the Windows Registry related to internet security settings, specifically the ZoneMap. The ZoneMap is used by Internet Explorer and other applications to manage and control security zones, such as Trusted Sites or Restricted Sites. A "Potential Raspberry Robin Registry Set" might indicate a configuration or setting associated with a specific threat or security concern, possibly related to a threat actor or malware named Raspberry Robin. This could involve changes or suspicious entries in the registry that affect how web content is handled or trusted, potentially leading to security vulnerabilities.

    Indicators of Compromise (IOC) List

    Image

    AppData\Local\Temp

    Downloads

    Users\Public

    Windows\Temp

    control.exe

    TargetObject

    SOFTWARE

    Microsoft

    Windows

    CurrentVersion

    Internet Settings

    ZoneMap

    IntranetName

    ProxyByPass

    UNCAsIntranet

    AutoDetect

    Details

    DWORD (0x00000001)

    DWORD (0x00000000)

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((resourceName = "Sysmon"  AND eventtype = "13") AND image in ("AppData\Local\Temp" ,"Downloads", "Users\Public", "Windows\Temp", "control.exe" ) ) AND targetobject in ("SOFTWARE","Microsoft","Windows","CurrentVersion","Internet Settings","ZoneMap") AND Targetobject in ("IntranetName","ProxyByPass","UNCAsIntranet") AND Details like "DWORD (0x00000001)"

    Detection Query 2

    ((resourceName = "Sysmon"  AND eventtype = "13") AND image in ("AppData\Local\Temp" ,"Downloads", "Users\Public", "Windows\Temp", "control.exe" ) ) AND targetobject in ("SOFTWARE","Microsoft","Windows","CurrentVersion","Internet Settings","ZoneMap") AND Targetobject IN ("AutoDetect") AND Details like "DWORD (0x00000000)"

    Detection Query 3

    ((technologygroup = "EDR" ) AND image in ("AppData\Local\Temp" ,"Downloads", "Users\Public", "Windows\Temp", "control.exe" ) ) AND targetobject in ("SOFTWARE","Microsoft","Windows","CurrentVersion","Internet Settings","ZoneMap") AND Targetobject in ("IntranetName","ProxyByPass","UNCAsIntranet") AND Details like "DWORD (0x00000001)"

    Detection Query 4

    ((technologygroup = "EDR" ) AND image in ("AppData\Local\Temp" ,"Downloads", "Users\Public", "Windows\Temp", "control.exe" ) ) AND targetobject in ("SOFTWARE","Microsoft","Windows","CurrentVersion","Internet Settings","ZoneMap") AND Targetobject IN ("AutoDetect") AND Details like "DWORD (0x00000000)"

    Category: Sigma

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.