2024-11-14 (THURSDAY): RASPBERRY ROBIN INFECTION USING WEBDAV SERVER

NOTES:

• Zip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

REFERENCES:

• https://www.linkedin.com/posts/unit42_raspberryrobin-activity-7262916467707265024-5p8f/
• https://x.com/Unit42_Intel/status/1857150852114649216

ASSOCIATED FILES:

• 2024-11-14-Raspberry-Robin-infection-initial-traffic.saz.zip   6.7 MB   (6,729,910 bytes)
• 2024-11-14-Raspberry-Robin-infection-traffic.pcap.zip   72.4 MB   (72,370,728 bytes)
• 2024-11-14-Raspberry-Robin-malware-samples.zip   6.7 MB   (6,704,397 bytes)

 

IMAGES

Shown above:  Initial zip archive and extracted HTA file.

 

Shown above:  Traffic from Fiddler capture showing example of script retrieved by the HTA file to retrieve and run the Raspberry Robin DLL from the WebDAV server.

 

Shown above:  Raspberry Robin DLL from the WebDAV server.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Click here to return to the main page.