This stealthy new malware can apparently avoid all antivirus scanners

Padlock against circuit board/cybersecurity background
(Image credit: Future)

Cybersecurity researchers have found a new version of the infamous Raspberry Robin malware, and this one is apparently really good at avoiding antivirus programs and other endpoint protection solutions.

Researchers from HP Wolf Security published a new report in which they claim to have observed a new Raspberry Robin campaign in March 2024, The Hacker News reports. 

In this campaign, the attackers host a malicious, heavily-obfuscated WSF (Windows Script Files) file on various domains and subdomains. Then, they trick victims into navigating to these URLs, with unknown means (most likely with social engineering, phishing, or malvertising).

Hiding behind antivirus

If the WSF file is executed, it will retrieve the main DLL, a payload that can be anything from SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot malware, to ransomware, the publication says.

What makes this version of Raspberry Robin stand out, however, is the way it works around antivirus programs. Before downloading the main payload, it will run a series of anti-analysis and anti-virtual machine scans, to determine the type of environment it’s being activated in.

What’s more, it won’t execute on Windows older than December 2017, or if the list of running processes includes Avast, Avira, Bitdefender, Check Point, ESET, or Kaspersky. Finally, it is able to configure Microsoft Defender Antivirus exclusion rules to make sure it doesn’t get picked up by the scanner.

"The scripts itself are currently not classified as malicious by any an-virus scanners on VirusTotal, demonstrating the evasiveness of the malware and the risk of it causing a serious infection with Raspberry Robin," HP said. "The WSF downloader is heavily obfuscated and uses many an-analysis techniques enabling the malware to evade detection and slow down analysis."

Raspberry Robin was first discovered in September 2021, and is also known under QNAP worm. Initially, it was distributed through malicious USB devices, carrying a .LNK file pointing to the payload hosted on a compromised QNAP device.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS