Raspberry Robin

Raspberry Robin will use the legitimate Windows utility fodhelper.exe to run processes at elevated privileges without requiring a User Account Control prompt.(Citation: RedCanary RaspberryRobin 2022)

Raspberry Robin uses newly-registered domains containing only a few characters for command and controll purposes, such as "v0[.]cx".(Citation: RedCanary RaspberryRobin 2022)

Raspberry Robin uses outbound HTTP requests containing victim information for retrieving second stage payloads.(Citation: RedCanary RaspberryRobin 2022) Variants of Raspberry Robin can download archive files (such as 7-Zip files) via the victim web browser for second stage execution.(Citation: HP RaspberryRobin 2024)

Raspberry Robin will use a Registry key to achieve persistence through reboot, setting a RunOnce key such as: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce {random value name} = “rundll32 shell32 ShellExec_RunDLLA REGSVR /u /s “{dropped copy path and file name}”” .(Citation: TrendMicro RaspberryRobin 2022)

Raspberry Robin uses cmd.exe to read and execute a file stored on an infected USB device as part of initial installation.(Citation: RedCanary RaspberryRobin 2022)

Raspberry Robin can use legitimate, signed EXE files paired with malicious DLL files to load and run malicious payloads while bypassing defenses.(Citation: HP RaspberryRobin 2024)

Raspberry Robin can add an exception to Microsoft Defender that excludes the entire main drive from anti-malware scanning to evade detection.(Citation: HP RaspberryRobin 2024)

Raspberry Robin can delete its initial delivery script from disk during execution.(Citation: HP RaspberryRobin 2024)

Raspberry Robin creates an elevated COM object for CMLuaUtil and uses this to set a registry value that points to the malicious LNK file during execution.(Citation: TrendMicro RaspberryRobin 2022)

Raspberry Robin will execute its payload prior to initializing command and control traffic by impersonating one of several legitimate program names such as dllhost.exe, regsvr32.exe, or rundll32.exe.(Citation: TrendMicro RaspberryRobin 2022)

Raspberry Robin contains multiple payloads that are packed for defense evasion purposes and unpacked on runtime.(Citation: TrendMicro RaspberryRobin 2022)

Raspberry Robin will execute a legitimate process, then suspend it to inject code for a Tor client into the process, followed by resumption of the process to enable Tor client execution.(Citation: TrendMicro RaspberryRobin 2022)

Raspberry Robin attempts to identify security software running on the victim machine, such as BitDefender, Avast, and Kaspersky.(Citation: TrendMicro RaspberryRobin 2022)(Citation: HP RaspberryRobin 2024)

Raspberry Robin uses msiexec.exe for post-installation communication to command and control infrastructure.(Citation: RedCanary RaspberryRobin 2022) Msiexec.exe is executed referencing a remote resource for second-stage payload retrieval and execution.(Citation: TrendMicro RaspberryRobin 2022)

Raspberry Robin performs a variety of system environment checks to determine if it is running in a virtualized or sandboxed environment, such as querying CPU temperature information and network card MAC address information.(Citation: HP RaspberryRobin 2024)