The operators of Raspberry robin are now using two new one-day exploits to achieve local privilege escalation, even as the malware continues to be refined and improved to make it stealthier than before.
This means that “Raspberry Robin has access to an exploit vendor or that its authors develop the exploits themselves in a short period of time,” Check Point said in a report this week.
Raspberry Robin (also known as the QNAP worm), first documented in 2021, is an evasive malware family known to act as a major enabler of initial entry for other malicious payloads, including ransomware.
Attributed to a threat actor named Storm-0856 (formerly DEV-0856), it propagates via multiple entry vectors, including infected USB drives, and Microsoft describes it as part of a “complex, interconnected malware ecosystem” with ties to others electronic crime groups such as Evil Corp, Silence and TA505.
Raspberry Robin’s use of daily exploits such as CVE-2020-1054 and CVE-2021-1732 for privilege escalation was previously highlighted by Check Point in April 2023.
The cybersecurity firm, which has detected “large waves of attacks” since October 2023, said threat actors have implemented additional anti-analysis and obfuscation techniques to make it harder to detect and analyze.
“Most importantly, Raspberry Robin continues to use multiple exploits for vulnerabilities before or only shortly after they were made public,” he noted.
“Those one-day exploits were not publicly disclosed at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a zero-day and was sold on the dark web.”
A report from Cyfirma late last year revealed that an exploit for CVE-2023-36802 was being advertised on dark web forums in February 2023. This was seven months before Microsoft and CISA issued a warning about the active exploit. It was updated by the Windows manufacturer in September 2023.
Raspberry Robin is said to have started using an exploit for the flaw in October 2023, the same month that public exploit code was made available, as well as for CVE-2023-29360 in August. The latter was made public in June 2023, but an exploit for the bug didn’t appear until September 2023.
Threat actors are believed to purchase these exploits rather than develop them in-house because they are used as external 64-bit executables and are not as heavily obfuscated as the main malware module.
“Raspberry Robin’s ability to quickly incorporate newly disclosed exploits into its arsenal further demonstrates a significant threat level, exploiting vulnerabilities before many organizations have applied patches,” the company said.
One of the other significant changes concerns the initial access path itself, leveraging rogue RAR archive files containing Raspberry Robin samples hosted on Discord.
In newer variants, the lateral movement logic has also been changed, now using PAExec.exe instead of PsExec.exe, and the command and control (C2) communication method randomly choosing a V3 Onion address from a list of 60 encoded Onions . addresses.
“You start by trying to contact legitimate, known Tor domains and seeing if you get any responses,” Check Point explained. “If there is no response, Raspberry Robin does not attempt to communicate with the real C2 servers.”