Raspberry Robin: The USB Propagator

Malmon Profile

Classification: Worm/APT ⭐⭐
Discovery Credit: Red Canary Intelligence Team, 2021
First Documented: September 2021
Threat Level: Intermediate (USB propagation specialist)

Malmon Card Reference

Raspberry Robin

Worm/USB
⭐⭐
Raspberry Robin

Raspberry Robin is a sophisticated malware known for spreading via infected USB drives and Windows shortcuts. It uses a complex infection chain, often involving legitimate tools like msiexec or cmd.exe to download further payloads. Raspberry Robin's infrastructure is highly obfuscated, with connections to various malware ecosystems including ransomware-as-a-service groups. Its evasive techniques and lateral movement capabilities make it a persistent threat in enterprise environments.

🔥
USB Propagation
Spreads through infected removable media with Windows shortcut exploitation
Complex Infection Chain
Multi-stage deployment using legitimate Windows utilities and QNAP device communication
🔮
Dropper Evolution
Serves as initial access for more sophisticated follow-on malware families
⬆️
Multi-Vector Distribution Platform
Becomes delivery mechanism for multiple advanced threat families
💎
USB Controls
Defeated by removable media restrictions and endpoint monitoring
🔍5
🔒7
📡8
💣6
🥷7
Discovered By:Red Canary
Habitat:USB devices, removable media, Windows environments
Property Icons:
🔍Detection
🔒Persistence
📡Spread
💣Payload
🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

  • Initial Access: T1091 (Replication Through Removable Media)
  • Persistence: T1547.001 (Registry Run Keys/Startup Folder)
  • Command and Control: T1071.001 (Application Layer Protocol)

Detailed ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique Tactic Description Mitigation Detection
T1091
Replication Through Removable Media		 Initial Access Spreads via infected USB drives in targeted environments USB controls, device management, endpoint protection USB monitoring, removable media scanning, device tracking
T1071.001
Application Layer Protocol		 Command and Control Uses legitimate services like Discord and Telegram for C2 Network monitoring, application control, traffic analysis Network traffic analysis, service monitoring, C2 detection
T1547.001
Registry Run Keys/Startup Folder		 Persistence Establishes persistence through Windows registry modifications Registry monitoring, startup controls, system integrity Registry monitoring, startup enumeration, persistence scanning
IM Facilitation Notes:
  • Use these techniques to guide player investigation questions
  • Help players connect evidence to specific ATT&CK techniques
  • Highlight type effectiveness relationships in responses
  • Encourage discussion of real-world mitigation strategies

Core Capabilities

USB Propagation Mastery:

  • Spreads through infected USB drives and removable media
  • Creates malicious LNK files that appear as legitimate folders
  • Automatically infects new USB devices when inserted
  • +3 bonus to spreading in environments with frequent USB usage

Living-off-the-Land Techniques:

  • Uses legitimate Windows processes for malicious activities
  • Leverages QEMU emulation and Windows utilities
  • Avoids dropping obvious malicious files on disk
  • +2 bonus against traditional file-based detection

Network Evasion (Hidden Ability):

  • Communicates with command and control through legitimate services
  • Uses compromised WordPress sites and cloud services
  • Employs domain generation algorithms for resilience
  • Triggers evolution to more sophisticated APT-level persistence

Type Effectiveness Against Raspberry Robin

Understanding which security controls work best against hybrid Worm/APT threats like Raspberry Robin:

Trojan
Weak to: Detection
Resists: Training
Worm
Weak to: Isolation
Resists: Backup
Ransomware
Weak to: Backup
Resists: Encryption
Rootkit
Weak to: Forensics
Resists: Detection
APT
Weak to: Intelligence
Phishing
Weak to: Training
Botnet
Weak to: Coordination
Infostealer
Weak to: Encryption

Key Strategic Insights for IMs:

  • Most Effective: User Education (USB security awareness), Physical Security Controls (USB port management), Behavioral Analysis (detects living-off-the-land techniques)
  • Moderately Effective: Network Isolation (limits C2 communication), Threat Intelligence (tracks campaign indicators)
  • Least Effective: Signature Detection (uses legitimate processes), Traditional Network Controls (USB propagation), Standard Antivirus (fileless techniques)

Hybrid Type Considerations:
This combines physical propagation with sophisticated techniques - emphasize both physical security awareness and advanced detection capabilities.

Vulnerabilities

USB Dependency:

  • Spread requires physical USB media and user interaction
  • Limited to environments where removable media is common
  • -2 penalty in organizations with strict USB usage policies

User Education Susceptibility:

  • Social engineering awareness reduces infection success
  • Technical training about USB security limits propagation
  • Security policies can effectively prevent initial infection

Facilitation Guide

Pre-Session Preparation

Choose Raspberry Robin When:

  • Mixed experience teams learning about physical security and network integration
  • USB security and removable media policies need emphasis
  • Living-off-the-land techniques should be demonstrated
  • Physical/digital security convergence is a learning objective
  • User behavior and policy effectiveness need exploration

Avoid Raspberry Robin When:

  • Organizations with strict no-USB policies where scenario isn’t relevant
  • Purely network-focused training where physical vectors aren’t applicable
  • Time-limited sessions where USB propagation complexity might overwhelm

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

  • “Multiple workstations showing suspicious network connections”
  • “Users reporting USB drives creating unexpected folders”
  • “Security tools detecting legitimate processes behaving unusually”
  • “Network monitoring shows connections to compromised WordPress sites”

IM Question Progression:

  1. “What connects workstations that don’t normally share network connections?”
  2. “How might malware spread without using network vulnerabilities?”
  3. “What would make legitimate Windows processes appear suspicious?”
  4. “What physical vectors could bypass network security controls?”

Expected Player Discovery Path:

  • Detective: Investigates unusual process behavior and network connections
  • Protector: Identifies compromise of systems across network segments
  • Tracker: Maps communication to external compromise infrastructure
  • Communicator: Investigates user reports of USB drive behavior
  • Crisis Manager: Coordinates response across physical and digital domains
  • Threat Hunter: Discovers living-off-the-land techniques and process injection

USB Vector Revelation: Guide toward: “This appears to be spreading through infected USB drives that users are carrying between systems.”

Investigation Phase (Round 2) Facilitation

Physical/Digital Integration Questions:

  • “How do you investigate an attack that bridges physical and digital security?”
  • “What policies and technologies address removable media threats?”
  • “How would you trace which USB drives have been infected?”

Living-off-the-Land Analysis:

  • “Why would attackers use legitimate Windows processes for malicious purposes?”
  • “How do you detect malicious use of standard system tools?”
  • “What makes this approach effective against traditional security controls?”

Scope Assessment:

  • “How far could this have spread through USB sharing?”
  • “What systems might be affected that aren’t on your managed network?”
  • “How do you assess impact when the attack vector is physical?”

Response Phase (Round 3) Facilitation

Multi-Domain Response Strategy:

  • “How do you respond to threats that use both physical and digital vectors?”
  • “What coordination is needed between IT, physical security, and user training?”
  • “How do you prevent reinfection through continued USB usage?”

Policy and Technical Controls:

  • “What combination of technology and policy would prevent future USB-based attacks?”
  • “How do you balance security with legitimate business needs for removable media?”
  • “What user education is needed to address this type of threat?”

Advanced Facilitation Techniques

Physical Security Integration

Cross-Domain Thinking:

  • Help teams understand how physical and digital security interconnect
  • Guide discussion of user behavior and policy enforcement
  • Explore the challenges of securing mobile devices and removable media

Policy Effectiveness Analysis:

  • Discuss how technical controls and organizational policies work together
  • Examine the balance between security and usability
  • Explore user training and awareness as security controls

Living-off-the-Land Concepts

Legitimate Tool Abuse:

  • Help teams understand how attackers use standard tools maliciously
  • Guide discussion of behavioral analysis and context-aware detection
  • Explore the challenges of distinguishing malicious from legitimate activity

Detection Strategy Development:

  • Discuss how traditional signature-based detection fails against these techniques
  • Explore behavioral analysis and anomaly detection approaches
  • Guide development of detection strategies for dual-use tools

Real-World Learning Connections

USB and Removable Media Security

  • Physical security controls for removable media
  • Technical solutions for USB security (blocking, monitoring, sandboxing)
  • User education and policy development for removable media
  • Integration of physical and digital security controls

Living-off-the-Land Defense

  • Behavioral analysis and anomaly detection for legitimate tools
  • Context-aware security monitoring and alerting
  • Whitelist and blacklist approaches for system tool usage
  • Advanced threat hunting techniques for dual-use tools

User Behavior and Security Culture

  • How user behavior creates or mitigates security risks
  • The role of security awareness training in threat prevention
  • Balancing security controls with business productivity needs
  • Building security culture that addresses both physical and digital threats

Assessment and Learning Objectives

Success Indicators

Team Successfully:

  • Recognizes USB propagation as physical/digital convergence threat
  • Understands living-off-the-land techniques and detection challenges
  • Develops response strategies addressing both technical and policy domains
  • Demonstrates understanding of user behavior as security control
  • Integrates physical security considerations with digital response

Learning Assessment Questions

  • “How does USB propagation change your approach to incident response?”
  • “What detection strategies work against living-off-the-land techniques?”
  • “How do you balance USB security with legitimate business needs?”
  • “What role does user education play in preventing USB-based attacks?”

Community Contributions and Extensions

Advanced Scenarios

  • BYOD Environment: USB threats in environments with personal devices
  • Air-Gapped Networks: USB as bridge between isolated and connected systems
  • Supply Chain Attack: USB devices compromised during manufacturing
  • Insider Threat: Malicious use of USB devices by authorized personnel

Real-World Applications

  • USB Security Policy Development: Creating comprehensive removable media policies
  • Physical Security Integration: Coordinating digital and physical security controls
  • User Training Programs: Developing effective security awareness for removable media
  • Detection Strategy Enhancement: Implementing behavioral analysis for dual-use tools

Raspberry Robin demonstrates how modern threats blend physical and digital attack vectors, requiring security strategies that address both domains and emphasize the critical role of user behavior in organizational security.