Raspberry Robin malware evolves with early access to Windows exploits

Trending 3 weeks ago

Raspberry Robin malware evolves pinch early entree to Windows exploits

Recent versions of the Raspberry Robin malware are stealthier and instrumentality one-day exploits that are deployed only connected systems that are susceptible to them.

One-day exploits mention to codification that leverages a vulnerability that nan developer of nan impacted package patched precocious but nan hole has either not been deployed to each clients aliases it has not been applied connected each susceptible systems.

From nan infinitesimal nan vendor discloses nan vulnerability, which usually comes pinch publishing a patch, threat actors unreserved to create an utilization and usage it earlier nan hole propagates to a ample number of systems.

According to a report from Check Point, Raspberry Robin has precocious utilized astatine slightest 2 exploits for 1-day flaws, which indicates that nan malware usability either has nan capacity to create nan codification aliases has sources that supply it.

Raspberry Robin background

Raspberry Robin is simply a worm that Red Canary, a managed discovery and consequence company, first identified successful 2021. It spreads chiefly done removable retention devices specified arsenic USB drives to found a foothold connected infected systems and facilitate nan deployment of further payloads.

It has been associated pinch threat actors for illustration EvilCorp, FIN11, TA505, nan Clop ransomware gang, and different malware operations, but its creators and maintainers are unknown.

Since its discovery, Raspberry Robin has continuously evolved, adding caller features, evasion techniques, and adopting respective distribution methods. One illustration of evasion instrumentality it implemented was to drop fake payloads to mislead researchers.

Check Point reports that it has observed an uptick successful Raspberry Robin's operations starting October 2023, pinch ample onslaught waves targeting systems worldwide.

A notable move successful caller campaigns is nan usage of nan Discord level to driblet malicious archive files onto nan target, apt aft emailing nan links to nan target.

The archives incorporate a digitally signed executable (OleView.exe) and a malicious DLL record (aclui.dll) that is side-loaded erstwhile nan unfortunate runs nan executable, frankincense activating Raspberry Robin successful nan system.

Targeting n-day flaws

When Raspberry Robin is first tally connected a computer, it will automatically effort to elevate privileges connected nan instrumentality utilizing a assortment of 1-day exploits.

Check Point highlights that nan caller Raspberry Robin run leverages exploits for CVE-2023-36802, and CVE-2023-29360, 2 section privilege escalation vulnerabilities successful Microsoft Streaming Service Proxy and nan Windows TPM Device Driver.

In some cases, nan researchers say, Raspberry Robin started exploiting nan flaws utilizing a then-unknown utilization little than a period aft nan information issues were disclosed publicly, on June 13 and September 12, 2023.

As illustrated successful nan timeline sketch below, Raspberry Robin exploited nan 2 flaws earlier information researchers first published impervious of conception utilization codification for nan 2 flaws.

TimelineDisclosure and exploitation timelines (Check Point)

Specifically, regarding CVE-2023-36802, which enables attackers to escalate their privileges to nan SYSTEM level, Cyfirma reported that an utilization had been disposable for acquisition connected nan Dark Web since February 2023, a afloat 7 months earlier Microsoft acknowledged and addressed nan issue.

This timeline suggests that Raspberry Robin acquires 1-day exploits from outer sources almost instantly aft their disclosure, arsenic their costs arsenic zero days is apt excessively overmuch moreover for larger cybercrime operations.

Check Point recovered grounds that points to this mentation arsenic well, since nan exploits utilized by Raspberry Robin were not embedded into nan main 32-bit component, but deployed arsenic outer 64-bit executables, and besides deficiency nan dense obfuscation typically seen pinch this malware.

New evasion mechanisms

Check Point's study besides highlights respective advancements successful nan latest Raspberry Robin variants, which see caller anti-analysis, evasion, and lateral activity mechanisms.

New systems seen successful caller variantsNew systems seen successful caller variants (Check Point)

To evade information devices and OS defenses, nan malware now attempts to terminate circumstantial processes for illustration 'runlegacycplelevated.exe,' related to Use Account Control (UAC), and patches nan NtTraceEvent API to evade discovery by Event Tracing for Windows (ETW).

Moreover, Raspberry Robin now checks if definite APIs, for illustration 'GetUserDefaultLangID' and 'GetModuleHandleW', are hooked by comparing nan first byte of nan API usability to observe immoderate monitoring processes by information products.

Another absorbing caller maneuver is nan implementation of routines that usage APIs for illustration 'AbortSystemShutdownW' and 'ShutdownBlockReasonCreate' to forestall strategy shutdowns that could interrupt nan malware's activity.

To conceal nan bid and power (C2) addresses, nan malware first randomly engages pinch 1 of nan 60 hard-coded Tor domains pointing to well-known sites to make first communications look benign.

Tor domains utilized for creating mendacious trafficTor domains utilized for creating mendacious traffic (Check Point)

Finally, Raspberry Robin now uses PAExec.exe alternatively of PsExec.exe to download nan payload straight from nan hosting location. This determination was apt made to summation its stealth, arsenic PsExec.exe is known to beryllium misused by hackers.

The researchers judge that Raspberry Robin will support evolving and adhd caller exploits to its arsenal, seeking codification that has not been released publicly. Based connected observations during nan malware analysis, it is apt that nan operators of nan malware does not create is connected to a developer that provides nan utilization code.

Check Point's report provides a database of indicators of discuss for Raspberry Robin, which consists successful hashes for nan malware, aggregate domains in the Tor network,  and Discord URLs for downloading nan malicious archive.