Raspberry Robin Malware Targets Telecom, Governments

We noted layers 3 and 5 as capable of anti-analysis techniques. Meanwhile, we found that not all layers have unique packers. The fourth and seventh layers are identical, as well as the tenth and thirteenth. The packing of the eighth and fourteenth layers are also similar. This repeated use of packers implies that the group is using a separate packing program. We are continuing with our analysis to see if this program is their own or if it is outsourced to other groups, as this technique can be indicative of the group’s future use of these same packers. It is also possible for these same packers to be replaced with variations in patterns.

On layer 8, the payload loader, the execution splits into two paths. If the malware detects that it is being analyzed, it loads the fake payload. Otherwise, it loads the real payload.

Fake payload

The fake payload has two layers, the first of which is a shellcode with an embedded PE file, while the second layer is a PE file with the MZ header and PE signature removed. The second layer is loaded by the first layer and jumps into it.

Upon execution, the second layer immediately creates a thread to where its main routine is located. It first attempts to read the registry value named “Active” at <HKEY_CURRENT_USERSOFTWAREMicrosoftMedia>. This serves as an infection marker. If the read fails, it proceeds to write the string value “1” into this registry value, then gathers

Read more

Explore the site

More from the blog

Latest News