Divided Raspberry Robin Malware Upgrades and New Exploits

Raspberry Robin Malware

The operators of Raspberry Robin are now using two new one-day exploits to achieve local escalation of privilege, even as the malware continues to be refined and improved to make it more stealthy than before.

This means that “Raspberry Robin has access to an exploit vendor or the authors develop the exploits themselves in a short period of time,” says Check Point. said in a report this week.

Raspberry Robin (also known as QNAP worm), first documented in 2021, is an evasive malware family known to act as one of the top initial access facilitators for other malicious payloads, including ransomware.

Attributed to a threat actor called Storm-0856 (formerly DEV-0856), it is spread via various access vectors, including infected USB drives, with Microsoft describing it as part of a “complex and interconnected malware ecosystem” that has ties to other e-crime. groups like Evil Corp, Silence and TA505.

Raspberry Robin’s use of one-day exploits such as CVE-2020-1054 and CVE-2021-1732 for privilege escalation was rather emphasized by Check Point in April 2023.

The cybersecurity firm, which has detected “large waves of attacks” since October 2023, says threat actors have implemented additional anti-analytics and obfuscation techniques to make them more difficult to detect and analyze.

“Most importantly, Raspberry Robin continues to use various exploits for vulnerabilities before or shortly after they are made public,” the report said.

“Those one-day exploits were not made public at the time of use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a zero-day and sold on the dark web. “

A report from Cyfirma late last year revealed that’s an exploit for CVE-2023-36802 was advertised on dark web forums in February 2023. This was seven months before Microsoft and CISA issued an advisory on active exploitation. It was patched by the Windows maker in September 2023.

Raspberry Robin malware

Raspberry Robin is said to have started using an exploit for the flaw sometime in October 2023, the same month a public exploit code was made available, as well as for CVE-2023-29360 in August. The latter was made public in June 2023, but an exploit for the bug did not appear until September 2023.

It is believed that the threat actors are purchasing these exploits rather than developing them internally, due to the fact that they are used as an external 64-bit executable and are not as heavily obfuscated as the malware’s core module.

“Raspberry Robin’s ability to quickly incorporate newly disclosed exploits into its arsenal further demonstrates a significant level of threat, with vulnerabilities being exploited before many organizations have applied patches,” the company said.

One of the other major changes concerns the initial access path itself, which uses rogue RAR archive files containing Raspberry Robin samples hosted on Discord.

Also modified in the newer variants is the lateral movement logic, which now uses PAExec.exe instead of PsExec.exe, and the command-and-control (C2) communication method by randomly choosing a V3 onion address from a list of 60 hardcoded onion addresses.

“It starts by trying to contact legitimate and well-known Tor domains and checking for a response,” Check Point explains. “If there is no response, Raspberry Robin will not attempt to communicate with the real C2 servers.”

#Divided #Raspberry #Robin #Malware #Upgrades #Exploits

Notify of
Inline Feedbacks
View all comments
Previous Post
Apple macOS Devices

New stealthy “RustDoor” backdoor targets Apple macOS devices

Next Post
MoqHao Android Malware

MoqHao Android malware evolves with automatic execution capabilities

Related Posts