Potential Raspberry Robin Registry Set Internet Settings ZoneMap

calendar Aug 12, 2024 · detection.emerging-threats attack.t1112 attack.defense-evasion  ·
Share on: linkedin copy

Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.

Sigma rule (View on GitHub)

 1title: Potential Raspberry Robin Registry Set Internet Settings ZoneMap
 2id: 16a4c7b3-4681-49d0-8d58-3e9b796dcb43
 3status: experimental
 4description: |
 5    Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.
 6    Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.    
 7references:
 8    - https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt
 9    - https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt
10    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass
11    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet
12    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites
13    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect
14    - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
15author: Swachchhanda Shrawan Poudel
16date: 2024-07-31
17tags:
18    - detection.emerging-threats
19    - attack.t1112
20    - attack.defense-evasion
21logsource:
22    category: registry_set
23    product: windows
24    definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\" and its sub keys must be monitored'
25detection:
26    selection_registry_image:
27        - Image|contains:
28              - '\AppData\Local\Temp\'
29              - '\Downloads\'
30              - '\Users\Public\'
31              - '\Windows\Temp\'
32        - Image|endswith: '\control.exe'
33    selection_registry_object:
34        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\'
35    selection_value_enable:
36        TargetObject|endswith:
37            - '\IntranetName'
38            - '\ProxyByPass'
39            - '\UNCAsIntranet'
40        Details|contains: 'DWORD (0x00000001)'
41    selection_value_disable:
42        TargetObject|endswith: '\AutoDetect'
43        Details|contains: 'DWORD (0x00000000)'
44    condition: all of selection_registry_* and 1 of selection_value_*
45falsepositives:
46    - Unknown
47# Note: can be upgraded to medium after an initial baseline
48level: low

References

Related rules

to-top