The Raspberry Robin malware now evolves and spreads with Windows script files, notably bypassing Microsoft Defender.
First identified in late 2021, Raspberry Robin is malware that initially targeted large IT companies or industries, and which continues to shake up most organizations.
But in March 2024, it seems that hackers have decided to spread it more widely. So said, so done, and now Raspberry Robin is released with Windows Script Files (WSF), making it even more difficult to identify. And if traditionally, Raspberry Robin was known for being distributed with removable media such as USB keys, today, the technique used by hackers is as clever as it is devastating. And in their sights, Microsoft Defender, which they succeed in neutralizing.
The ingenuity of Raspberry Robin: outwitting antiviruses
The latest version of Raspberry Robin, discovered by cybersecurity researchers at HP Wolf Security in March 2024, demonstrated a remarkable ability to evade certain antivirus programs. Very ingenious, the hackers host a heavily obfuscated Windows Script Files (WSF) file on various websites. They then set the classic phishing traps or false advertisements to encourage their victims to visit these URLs compromised by the WSF file.
When this WSF file is executed, it retrieves the main .DLL of the malware. The payloads are varied, ranging from simple ransomware to other more vicious programs such as SocGholish, Cobalt Strike, IcedID, BumbleBee and TrueBot. This new version of Raspberry Robin stands out for its ability to bypass antivirus programs. Before downloading the main payload, the malware runs a series of scans to determine the type of environment in which it is activated.
The threat of Raspberry Robin looms over Microsoft Defender
Furthermore, HP studies have demonstrated that the latest version of Raspberry Robin performs a series of checks to authenticate its environment before moving on to the next phase of the infection. In particular, it checks the version of Windows, searches for virtual machines used for malware analysis and stops its process if certain security products are identified.
If all checks pass, Raspberry Robin then configures Microsoft Defender Exclusions to remove protections by whitelisting the entire primary drive of the system. The malware thus gains unrestricted access to the entire device, while remaining invisible to the user’s security software.
Download
8
- Latest generation efficient and discreet detection engine
- Integration in Windows 10 and Windows 11
- Firewall
The antivirus natively integrated into Windows 10 and 11 continues to evolve and surprise with the improvement of its defensive capabilities. No need to download it, it’s already pre-installed! It is now on par with the best antiviruses on the market, but it remains limited to PC protection in its free version.
The antivirus natively integrated into Windows 10 and 11 continues to evolve and surprise with the improvement of its defensive capabilities. No need to download it, it’s already pre-installed! It is now on par with the best antiviruses on the market, but it remains limited to PC protection in its free version.
Source : HP Treat Research
Ex-corporate journalist, the world of the web, networks, connected machines and everything that is written on the Internet whets my appetite. From the latest TikTok trend to the most liked reels, I come from the Facebook generation that still fascinates the internal war between Mac and PC. As a wise woman, the Internet, its tools, practices and regulation are among my favorite hobbies (that, lineart, knitting and bad jokes). My motto: to try it is to adopt it, but in complete safety.
Read other articles
4