Raspberry Robin, ScreenConnect, AteraAgent, RDP, whoami, & SharpShares

First identified in 2021, Raspberry Robin (1) is a Windows worm malware that spreads itself through a network after an initial infection via malicious USB drives.

Threat actors use Raspberry Robin as an initial access malware for other malware variants and malicious campaigns, using its worm feature to move laterally through affected networks prior to deploying additional payloads.

The APG predicts that threat actors will very likely continue to use Raspberry Robin for persistence over the next 12 months.

We base this assessment on internal Blackpoint observed attacks, such as this March 31st attack against a Basic Materials partner, and external incident reports that detail the use of Raspberry Robin to gain persistence and deploy second stage payloads. For example:

• In April 2024, HP security researchers reported a Raspberry Robin incident involving the threat actor spreading Raspberry Robin malware through Windows Script Files (.wsf) via web downloads (2), demonstrating how threat actors continue to improve and develop their malware delivery tactics to evade detection and remain a critical threat to organizations.
  • The malicious .wsf files were offered for download via various threat actor-controlled domains and subdomains.
  • The script file acted as a downloader and used a variety of anti-analysis and virtual machine detection techniques.
• In 2023, Reliaquest security researchers reported that Raspberry Robin was the third most used malware loader in incidents observed by the company, comprising 23% of reported incidents (3).
  • And, earlier this year in 2024, ReliaQuest researchers updated that report to state that Raspberry Robin was, again, in the topmost observed malware loader in observed security incidents, involved in 7% of all company-reported incidents (4).

Blackpoint’s APG recommends the following actions to help mitigate the deployment of Raspberry Robin.

• Run employee security training as a strong “insurance policy” of sorts for your most exposed security liabilities: your end users. They must repeatedly be exposed to what basic phishing and malvertising lures look like, and be more cautious about opening email attachments or clicking on sponsored ads in search results.
• Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
• Segment critical systems, so they are isolated from less secure areas while preventing unauthorized communication between segments.
• Restrict access controls for removeable media, particularly for USB drives, to reduce the chances of malicious USB or memory devices to execute payloads on monitored endpoints.

ScreenConnect (AKA ConnectWise) is a legitimate remote access tool intended for organizational use to remotely manage end user devices (5).

Threat actors often abuse ScreenConnect and other “authorized” or legitimate remote monitoring and management (RMM) tools due to:

• The complete device and network access this type of tool provides,
• The ability to remain undetected and blend into normal traffic, and
• The potential for persistent access to compromised networks.

Similar to ScreenConnect, AteraAgent is another remote monitoring and management (RMM) tool that allows system administrators, IT helpdesk employees, and other authorized users to take full control of a device remotely (6).

The tool is an attractive tool for threat actors, as they can conduct a wide variety of activities – such as network discovery and persistent access – after an initial comprise. Since AteraAgent is also a “legitimate” tool used by many IT organizations, it is likely that threat actors use the tool in an attempt to blend in to normal traffic, as well.

Blackpoint’s APG predicts that threat actors will very likely continue to abuse RMM tools such as ScreenConnect and AteraAgent over the next 12 months.

We base this assessment on internal Blackpoint observed attacks and external incident reports that review the malicious abuse of both RMM tools that the threat actor attempted to deploy during this incident.

In these selected public APG incident analysis of internal attacks this year, threat actors abused ScreenConnect and other remote access tools on:

• February 21, 2024, alongside JWrapper remote access software;
• April 22, 2024, with abused RDP alongside PCHunter64.exe;
• May 07, 2024, with a compromised remote desktop protocol (RDP) session forming the opening salvo for an attempted Devos ransomware takeover;
• May 29, 2024, with netscan, FileZilla, and a Labtech RMM tool;
• June 09, 2024, abuse of TeamViewer remote administration tool alongside of malicious scheduled tasks and added registry keys; and
• July 10, 2024, with TeamViewer and Advanced IP Scanner.

Beyond the Blackpoint managed ecosystem, the APG currently tracks:

• At least nine ransomware operations and three threat groups abusing the ScreenConnect tool during publicly reported incidents, and
• At least nine ransomware operations and two threat groups separately seen abusing the AteraAgent tool.

Selected external support of continued ScreenConnect and AteraAgent abuse by threat actors includes:

• In June 2024, eSentire security researchers reported multiple incidents with threat actors abusing ScreenConnect for persistence (7).
  • The threat group deployed the tool via malicious websites that redirected users to download the ScreenConnect application automatically.
  • The malicious ScreenConnect installation then allowed threat actors to download AsyncRAT malware, which can be used to deploy second-stage payloads and steal sensitive data.
• In March 2024, Proofpoint security researchers reported an incident attributed to the Iran-linked threat group MuddyWater (AKA TA450, Mango Sandstorm, Static Kitten), which included AteraAgent abuse (8).
  • The group reportedly sent emails with PDF attachments that contained malicious links, resulting in malicious installation of AteraAgent on the compromised system.

Blackpoint’s APG recommends the following actions to help mitigate the abuse of legitimate RMM tools for maintaining persistent access.

• Enforce multi-factor authentication (MFA) on all user accounts – especially those with privileged access! – to help decrease the chances of undetected credential compromise.
• Implement application controls, including blocklists and allowlists, to help manage and control software installation by end users to only approved and vetted applications.
• Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
• Implement a risk-based patch management program to ensure that relevant and exploited security vulnerabilities in critical services are patched in a timely manner, to prevent exploitation of low-criticality-but-still-relevant CVEs.

Remote desktop protocol (RDP) is a protocol that allows legitimate organization users with IT, development, and security functions to use a desktop remotely. Threat actors can abuse RDP to move laterally through compromised networks. RDP is used by both legitimate system administrators and malicious threat actors for two primary purposes:

• Remote Desktop Access: Users can utilize remote access to their physical desktop computer from another device.
• Remote Administration: Users can perform remote administrative work by accessing the device.

Threat actors can target RDP and use it through a variety of methods (9), including:

• Hijacking RDP sessions;
• Using accessibility features, such as Sticky Keys;
• Brute force attacks,
• Specialty malware explicitly designed for RDP; and
• Protocol tunneling.

whoami is a command used in both Windows and Unix operating systems and can be used to display the current username and privilege information (10).

Threat actors can use this tool for reconnaissance, gathering information that can then be used for:

• Persistence,
• Lateral movement, and
• Privilege escalation.

SharpShares is a tool designed to enumerate all network shares within the current domain, and can be used to resolve names to IP addresses (11).Threat actors abuse this tool to identify:

• Folders and drives shared on remote systems;
• Information that can be collected and exfiltrated for maximum impact; and
• Systems of interest that can be moved to, for further malicious activities.

Blackpoint’s APG predicts that threat actors will almost certainly continue to abuse RDP for initial access and commands and tools, such as whoami and SharpShares, for discovery over the next 12 months.

We base this assessment on internal Blackpoint observed attacks and external incident reports covering RDP abuse and other malicious use of whoami and SharpShares.

The APG currently tracks:

• At least 30 ransomware operations and 18 threat groups abusing the RDP for lateral movement or initial access publicly reported incidents,
• At least seven ransomware operations and nine threat groups separately seen using the whoami command for discovery, and
• At least three ransomware operations abusing SharpShares.

The APG has put out previous analysis of threat actor abuse of RDP and whoami command, in particular:

RDP Abuse

• Industrials incident on April 22, 2024
• Professional & Commercial Services incident on May 04, 2024
• Consumer Cyclicals Partner on May 24, 2024
• Industrials incident on July 7, 2024

whoami Abuse

• Real Estate incident on April 17, 2024

Additional external reporting and support of the APG’s threat assessment of the abuse of these tools includes:

• In 2024, the U.S. CISA released an updated #StopRansomware report related to the BlackSuit ransomware operation, which includes their use of the SharpShares tool for discovery and reconnaissance tactics (12).
  • CISA updated their previous Royal ransomware report to reflect the group’s purported rebrand to the BlackSuit variant.

Blackpoint’s APG recommends the following actions to help mitigate the malicious use of legitimate services, commands, and tools for initial access and discovery.

• Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions, making it harder for threat actors to move laterally within the infected environment to more desireable targets.
• Establish effective firewall rules and configurations, including restricting access to port 3389 and blocking RDP traffic between network security zones.
• Strategically adopt portions of zero trust security architecture. A “zero trust” security strategy assumes that all resource requests are malicious until otherwise proven by credentials, authorizations, and other checks – even if the request comes from a previously accepted and cleared source. (Ask every time it’s feasible to do so!)
• Create, test, and implement incident response plans (IRPs), including the organization’s disaster recovery (DR) and business continuity (BC) processes. IRPs should cover emergency processes for data backup and restoration, as well as notification processes – such as internal and external partners, team members, and law enforcement – and annual investment and testing of documented procedures.

1. Red Canary’s Blog: “Raspberry Robin” by Red Canary on 2024-04-17
2. HP’s Blog: “Raspberry Robin Now Spreading Through Windows Script Files” by Patrick Schläpfer on 2024-04-10
3. ReliaQuest’s Blog: “3 Malware Loaders You Can’t (Shouldn’t) Ignore” by ReliaQuest Threat Research Team on 2023-08-25
4. ReliaQuest’s Blog: “Common Malware Loaders” by Righi, Ivan on 2024-08-13
5. 
   ConnectWise’s Website: “ScreenConnect” by ConnectWise on N/A
6. Atera’s Website: “All-in-one IT Platform” by Atera on N/A
7. eSentire’s Blog: “Exploring the Infection Chain: ScreenConnect’s Link to AsyncRAT Deployment” by eSentire Threat Response Unit on 2024-07-03
8. Proofpoint’s Blog: “Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign” by Joshua Miller on 2024-03-21
9. Blackpoint Cyber’s Blog: “How RDP Attacks Go Down” by Blackpoint Cyber on 2022-05-31
10. Microsoft’s Repository: “whoami” by Microsoft on 2023-02-03
11. 
    GitHub’s Repository: “Sharp Shares” by djhohnstein on 2019-11-19
12. CISA’s Advisory: “#StopRansomware: BlackSuit (Royal) Ransomware” by CISA on 2024-08-07