Unraveling Raspberry Robin's Layers: Analyzing Obfuscation Techniques and Core Mechanisms

    Thursday, November 21, 2024 In: Threat Research Print

    Date: 11/21/2024

    Severity: High

    Summary

    Discovered in 2021, Raspberry Robin (also known as Roshtyak) is a malicious downloader primarily spread via infected USB devices. It stands out for its unique binary obfuscation, extensive anti-analysis techniques, and privilege escalation exploits. Researchers have observed its use by multiple threat actors to deploy other malware families, such as Bumblebee. In this blog, Zscaler ThreatLabz provides an in-depth analysis of Raspberry Robin’s execution layers, obfuscation methods, network communication, and latest exploits.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    https://2pxsdtxngssu3vqqujdfgu4bsmlkp3d2ytctawznlhhez6tq57wzpzqd.onion:55314/

    https://3bh22ezbxub3dopbqja7jjymdussvwgl3eu4xzlsdyagtnhzxy3tr3id.onion:3367/

    https://3zs4zdszo3lesutdbuenzvlspuh6wljj6eyntv73dxxig3bk2wcskrad.onion:15842/

    https://4jtsmu3u4yrbehjf4rzfwsswhpc7ohs4nrfnlfu3xebteeaf4uv3okyd.onion:37151/

    https://4rnzfvzybry65auecpi3n67c6ynuunvs77qpk45svyhhsj6oisibk3qd.onion:39567/

    https://5bqxmurmtkqlzis65uu22aspcuhivb6vpzpcpma5wfl5ngz2ha6oxzqd.onion:18231/

    https://64iahnunyhf6ph6qvakjp22a3j6wlvl4sdmbh6elwri6up5gpnm7xkyd.onion:33960/

    https://6agzykvu3rjnwpdnky777ffxb5dj4fiemftho4tsoeakp2xa542pj7id.onion:34024/

    https://6kykjg6h7sjqru5puc57mb2nhd2bwhtewdswnsg4rlr3rw6t4iqrpgyd.onion:13392

    https://6praos6qyi3b5kcurfqe4kyh5ihu4k3z6mjbggkixnfyhbpomy5szoad.onion:4123/

    https://6s75xlg3auzdnccos4re4hrmcxyg6fivxsqm3cldv2gowl2engljtqyd.onion:58212/

    Hash :

    0632a600bd59a0fab86fd199a041b1d159162ae1d8d7ad62150270257bd9bc8b

852ce7c57c68243a1189db61e750056041bed3802f2c48dcee4cfc189b4e4949

5b8043e178373d4b732c6bf1013173b9f9a1f30269996392da367547d6a4a70f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls :

    userdomainname like "https://2pxsdtxngssu3vqqujdfgu4bsmlkp3d2ytctawznlhhez6tq57wzpzqd.onion:55314/" or url like "https://2pxsdtxngssu3vqqujdfgu4bsmlkp3d2ytctawznlhhez6tq57wzpzqd.onion:55314/" or userdomainname like "https://3bh22ezbxub3dopbqja7jjymdussvwgl3eu4xzlsdyagtnhzxy3tr3id.onion:3367/" or url like "https://3bh22ezbxub3dopbqja7jjymdussvwgl3eu4xzlsdyagtnhzxy3tr3id.onion:3367/" or userdomainname like "https://3zs4zdszo3lesutdbuenzvlspuh6wljj6eyntv73dxxig3bk2wcskrad.onion:15842/" or url like "https://3zs4zdszo3lesutdbuenzvlspuh6wljj6eyntv73dxxig3bk2wcskrad.onion:15842/" or userdomainname like "https://4jtsmu3u4yrbehjf4rzfwsswhpc7ohs4nrfnlfu3xebteeaf4uv3okyd.onion:37151/" or url like "https://4jtsmu3u4yrbehjf4rzfwsswhpc7ohs4nrfnlfu3xebteeaf4uv3okyd.onion:37151/" or userdomainname like "https://4rnzfvzybry65auecpi3n67c6ynuunvs77qpk45svyhhsj6oisibk3qd.onion:39567/" or url like "https://4rnzfvzybry65auecpi3n67c6ynuunvs77qpk45svyhhsj6oisibk3qd.onion:39567/" or userdomainname like "https://5bqxmurmtkqlzis65uu22aspcuhivb6vpzpcpma5wfl5ngz2ha6oxzqd.onion:18231/" or url like "https://5bqxmurmtkqlzis65uu22aspcuhivb6vpzpcpma5wfl5ngz2ha6oxzqd.onion:18231/" or userdomainname like "https://64iahnunyhf6ph6qvakjp22a3j6wlvl4sdmbh6elwri6up5gpnm7xkyd.onion:33960/" or url like "https://64iahnunyhf6ph6qvakjp22a3j6wlvl4sdmbh6elwri6up5gpnm7xkyd.onion:33960/" or userdomainname like "https://6agzykvu3rjnwpdnky777ffxb5dj4fiemftho4tsoeakp2xa542pj7id.onion:34024/" or url like "https://6agzykvu3rjnwpdnky777ffxb5dj4fiemftho4tsoeakp2xa542pj7id.onion:34024/" or userdomainname like "https://6kykjg6h7sjqru5puc57mb2nhd2bwhtewdswnsg4rlr3rw6t4iqrpgyd.onion:13392" or url like "https://6kykjg6h7sjqru5puc57mb2nhd2bwhtewdswnsg4rlr3rw6t4iqrpgyd.onion:13392" or userdomainname like "https://6praos6qyi3b5kcurfqe4kyh5ihu4k3z6mjbggkixnfyhbpomy5szoad.onion:4123/" or url like "https://6praos6qyi3b5kcurfqe4kyh5ihu4k3z6mjbggkixnfyhbpomy5szoad.onion:4123/" or userdomainname like "https://6s75xlg3auzdnccos4re4hrmcxyg6fivxsqm3cldv2gowl2engljtqyd.onion:58212/" or url like "https://6s75xlg3auzdnccos4re4hrmcxyg6fivxsqm3cldv2gowl2engljtqyd.onion:58212/"

    Hash :

    sha256hash IN ( "0632a600bd59a0fab86fd199a041b1d159162ae1d8d7ad62150270257bd9bc8b","852ce7c57c68243a1189db61e750056041bed3802f2c48dcee4cfc189b4e4949","5b8043e178373d4b732c6bf1013173b9f9a1f30269996392da367547d6a4a70f")

    Reference:

    https://www.zscaler.com/blogs/security-research/unraveling-raspberry-robin-s-layers-analyzing-obfuscation-techniques-and#indicators-of-compromise--iocs- 


    Tags

    MalwareRASPBERRY ROBIN

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.