April 10, 2024 at 09:45AM
Cybersecurity researchers have detected a new Raspberry Robin campaign using malicious Windows Script Files to spread malware since March 2024. The campaign, historically spread through USB drives, has expanded to other initial infection methods, including social engineering and malvertising. The WSF files function as downloaders to retrieve the main DLL payload while evading detection by antivirus programs.
Key takeaways from the meeting notes on Cyber Crime/Malvertising:
– Cybersecurity researchers have identified a new Raspberry Robin campaign propagating malware through malicious Windows Script Files (WSFs) since March 2024.
– The campaign has evolved from spreading through USB drives to utilizing other initial infection vectors such as social engineering and malvertising.
– Raspberry Robin is associated with various other payloads such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and also serves as a precursor for ransomware.
– The emerging threat cluster tracked by Microsoft as Storm-0856 includes groups like Evil Corp, Silence, and TA505.
– The latest distribution vector involves the use of heavily obfuscated WSF files for download via various domains and subdomains.
– The WSF file serves as a downloader to retrieve the main DLL payload from a remote server, while employing anti-analysis and anti-virtual machine techniques.
– The malware is designed to evade detection by terminating execution based on the Windows operating system’s build number and presence of certain antivirus processes, in addition to configuring Microsoft Defender Antivirus exclusion rules.
– The WSF downloader is currently not detected as malicious by any antivirus scanners on VirusTotal, highlighting its evasiveness and the risk of serious infection.
Feel free to ask if you need any further clarifications.