article featured image


The Raspberry Robin worm has targeted the financial and insurance industries in Europe, and the virus is still evolving its post-exploitation capabilities while evading detection.

The breaches, which have been seen in Spanish and Portuguese-speaking organizations, are notable for collecting more data than recorded in previous cases, with the malware now using sophisticated techniques to resist analysis.

How the Evolved Raspberry Robin Worm Works?

Also known as the QNAP worm, Raspberry Robin is being used by several threat groups to infiltrate the networks of their targets. The framework has lately been used in attacks on the government and telecom industries. It is spread by infected USB devices and other means.

According to The Hacker News, Security researchers launched a forensic investigation into one such attack, revealing the use of a 7-Zip file, which is downloaded from the browser of the victim via social engineering and contains an MSI installer file designed to drop multiple modules.

In another incident, it is claimed that a ZIP file was downloaded by the victim through a malicious ad that was placed on a website notorious for distributing adware. The downloader is hidden behind multiple layers of obfuscation and encryption to avoid detection. The archive file is kept on a Discord server and contains encoded JavaScript code.

The archive file is kept on a Discord server and contains JavaScript code that, when run, drops a downloader that is concealed by multiple layers of encryption and obfuscation in order to avoid detection.

The shellcode downloader has undergone substantial improvements as well, now gaining the ability to profile its victims to deliver the appropriate payloads. Along with the hostname and username information that was obtained by earlier versions of the malware, this entails gathering the host’s Universally Unique Identifier (UUID), processor name, associated display devices, and the number of minutes that have passed since the system launch.

The command-and-control (C2) server receives the reconnaissance data encrypted with a hard-coded key and replies with a Windows binary, which is subsequently run on the system.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu


linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.