Potential Raspberry Robin CPL Execution Activity

About the rule

Rule Type

Standard

Rule Description

Raspberry Robin is a malware downloader used to execute malicious payloads on a system. It leverages CPIApplet function within Control Panel Items i.e., .cpl files to drop its payload into less suspicious directories, such as the user’s Temp folder and then executes the .cpl file using the rundll32.exe utility which in turn calls the Control_RunDLL export function from shell32.dll. This rule detects such suspicious process creations associated with Raspberry Robin CPL execution.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Execution → Defense Evasion → rundll32.exe execution → Impact

Impact

• Malware execution
• Defense Evasion
• System compromise

Rule Requirement

Prerequisites

• Windows Event Viewer

Logon to Group Policy Management Console with administrative privileges and enable auditing for process creation and termination events. For enhanced process tracking enable the inclusion of command line information in process creation events. Finally, create a new registry key "Microsoft-Windows-Security-Auditing/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".

• Sysmon

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add process creation events to the configuration file to capture all process creations. Finally, create a registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".

(((( COMMANDLINE CONTAINS ""\\appdata\\local\\temp\\"" ) )) AND ((( COMMANDLINE CONTAINS ""shell32.dll"" ) AND( COMMANDLINE CONTAINS ""control_rundll"" ) AND( COMMANDLINE CONTAINS "".cpl"" ) )) AND ((( PROCESSNAME ENDS_WITH ""\\rundll32.exe"" ) ) OR ((ORIGINALFILENAME = ""rundll32.exe"" ))) AND ((( PARENTPROCESSNAME ENDS_WITH ""\\rundll32.exe"" ) OR ( PARENTPROCESSNAME ENDS_WITH ""\\control.exe"" ) )))

This rule is triggered when the executed process is associated with the following suspicious elements:

• \\appdata\\local\\temp\\: Refers to the user's Temp folder, a less suspicious location used to execute malware files.
• .cpl: A DLL file that provides access to specific Control Panel Applets.
• rundll32.exe: A Windows program used to execute functions within a DLL.
• shell32.dll: A Windows DLL used to call the Control_RunDLL function used to run .cpl files.
• control_rundll: A function within the shell32.dll file that is used to launch Control Panel applets.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: System Binary Proxy Execution - Rundll32 (T1218.011)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.AE-02: Potentially adverse events are analyzed to better understand associated activities.

When this rule is triggered, you're notified of the Raspberry Robin CPL execution. This enables you to identify suspicious processes originating from the Temp folder and detect malicious CPL file executions on the system.

Author

Swachchhanda Shrawan Poudel

Future actions

Known False Positives

This rule might be triggered when Control Panel applets are launched dynamically via rundll32.exe from unusual locations during troubleshooting or software upgrades.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit DLL executions: Continuously monitor DLL file activities, detect DLL executions that launch from suspicious locations, and block .cpl executions.

Mitigation