Raspberry Robin [1] [2] [3] [4] [5] [6], a malware strain associated with the threat actor Storm-0856 [4], is known for enabling initial access for subsequent malicious payloads [3] [4]. This article examines the recent integration of two new one-day exploits, CVE-20201054 and CVE-20211732 [2] [3] [5], by Raspberry Robin for local privilege escalation. It also explores the use of external 64-bit executables, the changes in the malware’s initial access pathway and lateral movement logic [3], and its communication with command-and-control servers [3].

Description

Raspberry Robin [1] [2] [3] [4] [5] [6], utilized by the threat actor Storm-0856 [4], has incorporated two new one-day exploits, CVE-20201054 and CVE-20211732 [2] [3] [5], for local privilege escalation [2] [3] [4] [5] [6]. The presence of these exploits suggests access to exploit sellers or rapid in-house development capabilities. Notably, these exploits are external 64-bit executables and are less obfuscated compared to Raspberry Robin’s main component, indicating a likely purchase by the threat actors.

Previous reports from Check Point have highlighted Raspberry Robin’s use of CVE-20201054 and CVE-20211732 exploits [3]. It has been observed that Raspberry Robin consistently employs different exploits for vulnerabilities shortly after their public disclosure, indicating a pattern of purchasing exploits rather than developing them internally.

Furthermore, Raspberry Robin has made changes to its initial access pathway and lateral movement logic [3]. It now utilizes Discord-hosted rogue RAR archives as the latest initial access pathway and PAExec.exe for lateral movement [4]. Additionally, the malware communicates with command-and-control servers through Tor domains and randomly selects V3 onion addresses for C2 communication.

It is worth noting that Raspberry Robin has been associated with e-crime groups such as Evil Corp, Silence [3] [4], and TA505 [4]. Researchers have discovered that the criminals behind Raspberry Robin are now purchasing exploits to expedite their cyberattacks [1]. This suggests the involvement of an exploit developer either on the payroll of Raspberry Robin or selling exploits to the group [1].

Check Point Research has observed that Raspberry Robin has been incorporating exploits for vulnerabilities that are less than a month old [1], indicating a focus on speed to maximize their chances of success [1]. One of the vulnerabilities [1], CVE-202336802 [1] [4] [5], was also utilized as a zero-day exploit and sold on the dark web [1]. The researchers suspect that Raspberry Robin had access to a developer [1], as they were able to utilize the exploit shortly after its public disclosure [1]. Another exploit, CVE-202329360 [1] [4] [5], publicly disclosed in June [1] [5], was used by Raspberry Robin in August [1]. Analysis of the malware suggests that these exploits were purchased rather than developed in-house [1].

Raspberry Robin is a trusted malware loader employed by major criminal groups [1], regularly updating its features to evade detection and analysis [1]. The proactive approach of Raspberry Robin in exploiting vulnerabilities before patch application underscores the importance of patch management, threat intelligence sharing [4], and proactive monitoring to mitigate the risks posed by this evolving malware [4].

Conclusion

The integration of new exploits by Raspberry Robin highlights the increasing trend of purchasing exploits to enhance cyberattacks. This emphasizes the need for organizations to prioritize patch management, threat intelligence sharing [4], and proactive monitoring to mitigate the risks associated with this evolving malware. The involvement of an exploit developer raises concerns about the accessibility of exploits and the potential for their misuse. It is crucial for security professionals to stay vigilant and adapt their defenses to counter the evolving tactics of threat actors like Storm-0856.

References

[1] https://rodinanews.co.uk/news/raspberry-robin-devs-are-buying-exploits-for-faster-attacks-the-register/327958/
[2] https://windows8.myblog.it/2024/02/10/raspberry-robin-malware-si-aggiorna-con-la-diffusione-tramite-discord-e-nuovi-exploit/
[3] https://thehackernews.com/2024/02/raspberry-robin-malware-upgrades-with.html
[4] https://www.varutra.com/ctp/threatpost/postDetails/Raspberry-Robin-Exploits-New-One-Day-Vulnerabilities,-Enhancing-Stealth-and-Persistence/azgrNndTN3hCSFZEYk8wVkkrMFk4QT09
[5] https://www.redpacketsecurity.com/raspberry-robin-malware-upgrades-with-discord-spread-and-new-exploits/
[6] https://securityaffairs.com/158969/malware/raspberry-robin-1-day-exploits.html