Date: 09/20/2024
Severity: Medium
Summary
"Raspberry Robin Subsequent Execution of Commands" refers to a malware operation where an initial infection is used to execute further commands on a compromised system. Typically, it involves the use of removable media to spread the malware, which then enables attackers to run additional scripts or payloads. This process allows for ongoing control of the infected device, facilitating data theft or further exploitation. The name "Raspberry Robin" indicates its unique method of propagation and execution, highlighting the growing sophistication of malware strategies.
Indicators of Compromise (IOC) List
Image | '\rundll32.exe' '\regsvr32.exe' |
ParentImage | '\fodhelper.exe' |
CommandLine | 'odbcconf.exe' 'regsvr' 'shellexec_rundll' 'installdriver' 'setfiledsndir' 'vkipdse' '/a' '/f' '/s' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (((resourcename in ("Sysmon") AND eventtype = "1") AND image IN ("\rundll32.exe","\regsvr32.exe") AND parentimage = "\fodhelper.exe") AND commandline IN ("odbcconf.exe","regsvr","shellexec_rundll","installdriver","setfiledsndir","vkipdse","/a","/f","/s")) |
Detection Query 2 | (((technologygroup = "EDR") AND image IN ("\rundll32.exe","\regsvr32.exe") AND parentimage = "\fodhelper.exe") AND commandline IN ("odbcconf.exe","regsvr","shellexec_rundll","installdriver","setfiledsndir","vkipdse","/a","/f","/s")) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_execution.yml