Security News > 2022 > December > Raspberry Robin worm drops fake malware to confuse researchers
The Raspberry Robin malware is now trying its hand at some trickery by dropping a fake payload to confuse researchers and evade detection when it detects it's being run within sandboxes and debugging tools.
Raspberry Robin is a worm-like malware dropper that sells initial access to compromised networks to ransomware gangs and malware operators.
The malware reaches targeted systems via malicious USB drives that infect the device with malware when inserted and included.
To make it even harder for security researchers to analyze the malware, Raspberry Robin has begun to drop two different payloads depending on how it is being run on a device.
If the malware detects it is running inside a sandbox, indicating it is likely being analyzed, the loader drops a fake payload. Otherwise, it will launch the actual Raspberry Robin malware.
Next, the fake payload attempts to download and execute an adware named 'BrowserAssistant,' to trick the analyst into believing this was the final payload. On valid systems the actual Raspberry Robin malware payload is loaded, which features an embedded custom Tor client for internal communication.