Trend Micro researchers found a malware sample allegedly capable of connecting to the Tor network to deliver its payloads. Their initial analysis of the malware, which compromised a number of organizations toward the end of September, showed that while the main malware routine contains both the real and fake payloads, it loads the fake payload once it detects sandboxing tools to evade security and analytics tools from detecting and studying the malware’s real routine. Meanwhile, the real payload remains obfuscated under packing layers and subsequently connects to the Tor network. The campaign and malware, identified as Raspberry Robin by Red Canary (detected by Trend Micro as Backdoor.Win32.RASPBERRYROBIN.A), seemingly spreads to systems with worm-like capabilities (due to the use of .lnk files) via an infected USB.
Given the malware’s layering features and the stages of its infection routine, Trend Micro is still confirming its main motivation for deployment. Currently, its possible motivation ranges from theft to cyberespionage.
Source: Trend Micro