New Malware Campaign Spreading Through WSF Files

New Malware Campaign Spreading Through WSF Files

Cybersecurity researchers have discovered a new Raspberry Robin campaign wave that propagates the malware through malicious Windows Script Files (WSFs) since March 2024.

“Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors,” HP Wolf Security researcher Patrick Schläpfer said in a report shared with The Hacker News.

Raspberry Robin, also called QNAP worm, was first spotted in September 2021 that has since evolved into a downloader for various other payloads in recent years, such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and also serving as a precursor for ransomware.

It’s currently not clear how the attackers are directing victims to these URLs, although it’s suspected that it could be either via spam or malvertising campaigns.

The heavily obfuscated WSF file functions as a downloader to retrieve the main DLL payload from a remote server using the curl command, but not before a series of anti-analysis and anti-virtual machine evaluations are carried out to determine if it’s being run in a virtualized environment.

“The scripts itself are currently not classified as malicious by any an-virus scanners on VirusTotal, demonstrating the evasiveness of the malware and the risk of it causing a serious infection with Raspberry Robin,” HP said.

“The WSF downloader is heavily obfuscated and uses many an-analysis techniques enabling the malware to evade detection and slow down analysis.”