The Raspberry Robin worm incorporates daily exploits as they are developed, in order to improve its privilege escalation capabilities.
Check Point researchers suspect it that the developers behind the Initial Access Tool are contracting with Dark Web exploit traffickers, allowing them to quickly incorporate new exploits to gain system-level privileges before those exploits are disclosed to the public and before many affected organizations are manage to apply patches to their associated vulnerabilities.
“This is a very powerful part of the program that gives the attacker much more capabilities in terms of evasion and performing actions with higher privileges than any other scenario,” explains Eli Smadja, Check Point group manager.
Raspberry Robin: Embed exploits faster now
Raspberry Robin was first discovered in 2021 and released a post on Red Canary’s blog the following year. Since then, its developers have become much more proactive, updating their tool in a fraction of the time it took them before.
Consider, for example, an early update: when it incorporated an exploit for CVE-2021-1732, a privilege escalation vulnerability with a “high” score of 7.8 out of 10 on the CVSS scale. The Win32k Windows driver bug was first revealed in February 2021, but wasn’t integrated into Raspberry Robin until the following year.
Compare that to another privilege escalation vulnerability from last June: CVE-2023-29360, a “high” 8.4 out of 10 bug in Microsoft Stream’s streaming service proxy. Raspberry Robin was already exploiting it in August, while a public exploit would only come to light the following month.
Then there it was CVE-2023-36802, a similar bug in Microsoft Stream with a CVSS score of 7.8. First disclosed on September 12, it was being exploited by Raspberry Robin in early October, before any public exploits had even been released (the developers don’t deserve too much credit here, as an exploit has been available on the Dark Web since February .)
In other words, the progression of time it took the group to weaponize vulnerabilities after disclosure went from a year, to two months, to two weeks.
To explain their rapid work, Check Point suggests that the worm’s developers purchase their exploits from casual developers on the Dark Web, or develop them themselves. Some mismatches between the worm and exploit codes suggest that the first scenario is more likely.
A widespread and effective cyber threat for initial access
Already in its first year of operation, Raspberry Robin was one of the most famous worms in the world thousands of infections per month. Red Canary tracked him down as the seventh most widespread threat of 2022with numbers only growing from month to month.
Nowadays, Raspberry Robin is a popular entry-level option for threat actors like Evil CorpTA505 and more, contributing to serious violations of public and private sector organizations.
“Most of the major malware listed today uses worms to spread across networks because it’s very useful – it saves a lot of hard work in developing these features yourself,” explains Smadja. “For example, initial access to a system, bypassing security and command and control infrastructure – you just buy it, combine it and it will make your job much easier.”
This is especially true, he adds, “because tools like Raspberry Robin continue to improve, using new zero-days and one-days, improving their infrastructure and their fulfillment techniques. So I think it will never go away. It’s an amazing service for an aggressor company.”