A new campaign wave of the Raspberry Robin malware has been discovered by cybersecurity researchers, with the worm now spreading through malicious Windows Script Files (WSFs) since March 2024 [7].


HP Threat Research previously identified campaigns where Raspberry Robin was distributed through highly obfuscated WSFs [2], utilizing anti-analysis techniques [2] [8]. The worm now utilizes WSF to evade detection and analysis, with the ability to mix JScript and VBScript, making it challenging to analyze. Over the years [2], threat actors have utilized various attack vectors [2], including archive files and malicious adverts [2], to deliver the worm [2]. The hackers behind Raspberry Robin are adept at quickly exploiting vulnerabilities and have connections to other malware families like SocGholish [3], Cobalt Strike [1] [3] [4] [6], and IcedID [3] [4]. Recently, Raspberry Robin has been observed using WSFs to spread its malicious code, marking a shift from its previous use of infected USB drives [5]. The malware has also been distributed through downloads from archive files sent as attachments via Discord and 7-Zip archives downloaded through web browsers [5]. Additionally, the operators are exploiting one-day security vulnerabilities [5], potentially purchasing exploits to accelerate their attacks [5]. The WSF downloader is heavily obfuscated and employs anti-analysis and anti-VM techniques to evade detection and slow down analysis [5]. This activity is concerning as Raspberry Robin has been used as a precursor for human-operated ransomware [5], making early detection and mitigation a high priority for security teams [5].


The use of WSFs to distribute the Raspberry Robin worm poses a significant threat to cybersecurity. To protect against this Windows worm [1], users are advised not to open email attachments from untrusted sources and to verify the sender’s identity [1]. Additionally, using paid antivirus or identity theft protection software is recommended to mitigate the risks associated with this malware campaign.


[1] https://windowsreport.com/hackers-are-using-the-raspberry-robin-worm-to-attack-your-device/
[2] https://www.infosecurity-magazine.com/news/raspberry-robin-windows-script/
[3] https://www.bankinfosecurity.com/raspberry-robin-morphs-now-spreads-via-windows-script-files-a-24844
[4] https://www.scmagazine.com/news/raspberry-robin-observed-spreading-via-windows-script-files
[5] https://securityboulevard.com/2024/04/raspberry-robin-malware-now-using-windows-script-files-to-spread/
[6] https://www.tomsguide.com/computing/malware-adware/hackers-are-using-this-little-know-file-type-to-drop-a-nasty-windows-worm-on-vulnerable-pcs-how-to-stay-safe
[7] https://gixtools.net/2024/04/raspberry-robin-returns-new-malware-campaign-spreading-through-wsf-files/
[8] https://itnerd.blog/2024/04/10/hp-analyzes-stealthy-raspberry-robin-campaign/