{"description": "Enterprise techniques used by Raspberry Robin, ATT&CK software S1130 (v1.0)", "name": "Raspberry Robin (S1130)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) implements a variation of the ucmDccwCOMMethod technique abusing the Windows AutoElevate backdoor to bypass UAC while elevating privileges.(Citation: TrendMicro RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) will use the legitimate Windows utility fodhelper.exe to run processes at elevated privileges without requiring a User Account Control prompt.(Citation: RedCanary RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) uses newly-registered domains containing only a few characters for command and controll purposes, such as \"v0[.]cx\".(Citation: RedCanary RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.008", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) variants have been delivered via malicious advertising items that, when interacted with, download a malicious archive file containing the initial payload, hosted on services such as Discord.(Citation: HP RaspberryRobin 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) is capable of contacting the TOR network for delivering second-stage payloads.(Citation: RedCanary RaspberryRobin 2022)(Citation: TrendMicro RaspberryRobin 2022)(Citation: HP RaspberryRobin 2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) uses outbound HTTP requests containing victim information for retrieving second stage payloads.(Citation: RedCanary RaspberryRobin 2022) Variants of [Raspberry Robin](https://attack.mitre.org/software/S1130) can download archive files (such as 7-Zip files) via the victim web browser for second stage execution.(Citation: HP RaspberryRobin 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) will use a Registry key to achieve persistence through reboot, setting a RunOnce key such as: HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\n{random value name} = \u201crundll32 shell32 ShellExec_RunDLLA REGSVR /u /s \u201c{dropped copy path and file name}\u201d\u201d\n.(Citation: TrendMicro RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) variants can be delivered via highly obfuscated Windows Script Files (WSF) for initial execution.(Citation: HP RaspberryRobin 2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) uses cmd.exe to read and execute a file stored on an infected USB device as part of initial installation.(Citation: RedCanary RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1622", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) leverages anti-debugging mechanisms through the use of ThreadHideFromDebugger.(Citation: TrendMicro RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) contains several layers of obfuscation to hide malicious code from detection and analysis.(Citation: TrendMicro RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) will check for the presence of several security products on victim machines and will avoid UAC bypass mechanisms if they are identified.(Citation: TrendMicro RaspberryRobin 2022) [Raspberry Robin](https://attack.mitre.org/software/S1130) can use specific cookie values in HTTP requests to command and control infrastructure to validate that requests for second stage payloads originate from the initial downloader script.(Citation: HP RaspberryRobin 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) will check to see if the initial executing script is located on the user's Desktop as an anti-analysis check.(Citation: HP RaspberryRobin 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) will drop a copy of itself to a subfolder in %Program Data% or %Program Data%\\\\Microsoft\\\\ to attempt privilege elevation and defense evasion if not running in Session 0.(Citation: TrendMicro RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) can use legitimate, signed EXE files paired with malicious DLL files to load and run malicious payloads while bypassing defenses.(Citation: HP RaspberryRobin 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) can add an exception to Microsoft Defender that excludes the entire main drive from anti-malware scanning to evade detection.(Citation: HP RaspberryRobin 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) can delete its initial delivery script from disk during execution.(Citation: HP RaspberryRobin 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.009", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) uses a RunOnce Registry key for persistence, where the key is removed after its use on reboot then re-added by the malware after it resumes execution.(Citation: Microsoft RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) retrieves its second stage payload in a variety of ways such as through msiexec.exe abuse, or running the curl command to download the payload to the victim's %AppData% folder.(Citation: HP RaspberryRobin 2024)(Citation: RedCanary RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) contains an embedded custom [Tor](https://attack.mitre.org/software/S0183) network client that communicates with the primary payload via shared process memory.(Citation: TrendMicro RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) creates an elevated COM object for CMLuaUtil and uses this to set a registry value that points to the malicious LNK file during execution.(Citation: TrendMicro RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) will execute its payload prior to initializing command and control traffic by impersonating one of several legitimate program names such as dllhost.exe, regsvr32.exe, or rundll32.exe.(Citation: TrendMicro RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) has historically been delivered via infected USB drives containing a malicious LNK object masquerading as a legitimate folder.(Citation: RedCanary RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1571", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) will communicate via HTTP over port 8080 for command and control traffic.(Citation: RedCanary RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) uses mixed-case letters for filenames and commands to evade detection.(Citation: RedCanary RaspberryRobin 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) contains multiple payloads that are packed for defense evasion purposes and unpacked on runtime.(Citation: TrendMicro RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) can identify processes running on the victim machine, such as security software, during execution.(Citation: TrendMicro RaspberryRobin 2022)(Citation: HP RaspberryRobin 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) will execute a legitimate process, then suspend it to inject code for a [Tor](https://attack.mitre.org/software/S0183) client into the process, followed by resumption of the process to enable [Tor](https://attack.mitre.org/software/S0183) client execution.(Citation: TrendMicro RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1091", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) has historically used infected USB media to spread to new victims.(Citation: TrendMicro RaspberryRobin 2022)(Citation: RedCanary RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) attempts to identify security software running on the victim machine, such as BitDefender, Avast, and Kaspersky.(Citation: TrendMicro RaspberryRobin 2022)(Citation: HP RaspberryRobin 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) uses msiexec.exe for post-installation communication to command and control infrastructure.(Citation: RedCanary RaspberryRobin 2022) Msiexec.exe is executed referencing a remote resource for second-stage payload retrieval and execution.(Citation: TrendMicro RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.008", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) uses the Windows utility odbcconf.exe to execute malicious commands, using the regsvr flag to execute DLLs and bypass application control mechanisms that are not monitoring for odbcconf.exe abuse.(Citation: RedCanary RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) uses regsvr32.exe execution without any command line parameters for command and control requests to IP addresses associated with [Tor](https://attack.mitre.org/software/S0183) nodes.(Citation: RedCanary RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) uses rundll32 execution without any command line parameters to contact command and control infrastructure, such as IP addresses associated with [Tor](https://attack.mitre.org/software/S0183) nodes.(Citation: RedCanary RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) performs several system checks as part of anti-analysis mechanisms, including querying the operating system build number, processor vendor and type, video controller, and CPU temperature.(Citation: HP RaspberryRobin 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) determines whether it is successfully running on a victim system by querying the running account information to determine if it is running in Session 0, indicating running with elevated privileges.(Citation: TrendMicro RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) execution can rely on users directly interacting with malicious LNK files.(Citation: Microsoft RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) contains real and fake second-stage payloads following initial execution, with the real payload only delivered if the malware determines it is not running in a virtualized environment.(Citation: TrendMicro RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) performs a variety of system environment checks to determine if it is running in a virtualized or sandboxed environment, such as querying CPU temperature information and network card MAC address information.(Citation: HP RaspberryRobin 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) second stage payloads can be hosted as RAR files, containing a malicious EXE and DLL, on Discord servers.(Citation: HP RaspberryRobin 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Raspberry Robin](https://attack.mitre.org/software/S1130) can execute via LNK containing a command to run a legitimate executable, such as wmic.exe, to download a malicious Windows Installer (MSI) package.(Citation: TrendMicro RaspberryRobin 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Raspberry Robin", "color": "#66b1ff"}]}