Even though the malware is still being developed and improved to make it more stealthy than before, the Raspberry Robin operators are now using two new one-day exploits to increase local privilege escalation.
According to a report released this week by Check Point,” Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in short period of time.”
The evasive malware family Raspberry Robin, also known as QNAP worm, was first identified in 2021. It is well known for serving as one of the main conduits for other malicious payloads, such as ransomware.
Microsoft describes it as a” complex and interconnected malware ecosystem” with ties to other e-crime groups like Evil Corp, Silence, and TA505. It is attributed to the threat actor Storm-0856 ( previously DEV- 0856 ) and spreads via several entry vectors, including infected USB drives.
Check Point previously emphasized Raspberry Robin’s use of one-day exploits like CVE 2020 1054 and PVE 2021 1732 for privilege escalation in April 2023.
Threat actors have added new anti-analysis and obfuscation techniques to make it more difficult to detect and analyze, according to the cybersecurity firm, which has been able to identify “large waves of attacks” since October 2023.
It stated that “most importantly, Raspberry Robin continues to use various exploits for vulnerabilities, either before or shortly after they were publicly disclosed.”
At the time of their use, those one-day exploits were not made public. CVE-2023-36802 was used as a zero-day vulnerability exploit and was offered for sale on the dark web.
An exploit for CVE-2023-36802 was being advertised on dark web forums in February 2023, according to a Cyfirma report from late last year. Before Microsoft and CISA issued a recommendation on active exploitation, this was seven months ago. In September 2023, the Windows manufacturer patched it.
According to reports, Raspberry Robin began using an exploit for the flaw sometime in October 2023, the same month that CVE-2023-29360‘s public exploit code was made available. Although the latter was made public in June 2023, the bug was n’t exploited until September of that year.
Due to the fact that these exploits are used as an external 64-bit executable and are not as heavily obfuscated as the malware’s core module, it has been determined that the threat actors buy them rather than develop them internally.
According to the company,” Raspberry Robin’s capacity to quickly incorporate newly discovered exploits into its arsenal further demonstrates a significant threat level by exploiting vulnerabilities before many organizations have applied patches.”
The initial access pathway itself, which makes use of rogue RAR archive files containing Raspberry Robin samples hosted on Discord, is one of the other significant changes.
The lateral movement logic, which now employs PAExec, has also been altered in the more recent versions. Instead of PsExec, use exe. exe, and the command-and-control ( C2 ) communication method by selecting one of 60 hardcoded onion addresses at random from the list.
According to Check Point, the first step is to try to get in touch with reliable and well-known Tor domains and see if they respond. Raspberry Robin does n’t attempt to contact the actual C2 servers if there is no response.