Researchers suspect the criminals behind the Raspberry Robin malware are now buying exploits for speedier cyberattacks.
An exploit developer is thought by infosec pros to be either on the Raspberry Robin payroll or a close contact that sells them to the group - most likely the latter.
That's according to Check Point Research which has tracked how long it takes for vulnerability exploits to be added as features to the malware.
In 2022, Raspberry Robin added exploits for vulnerabilities that were up to 12 months old, such as CVE-2021-1732, but this has quickly switched to those less than a month old, like CVE-2023-36802.
It means the criminals behind it are prioritizing the speed of development to maximize their chances of successful attacks.
Very few knew about CVE-2023-36802 until Microsoft addressed it as part of its September 2023 Patch Tuesday updates.
Cyfirma spotted an exploit for it being sold on the dark web as early as February of that year, seven months before the security advisories began popping up.
The earliest signs of Raspberry Robin abusing CVE-2023-36802 came in October, just weeks after Patch Tuesday and the same month that public exploit code was made available.
Researchers believe this points to the team's access to a developer given the time it took to start making use of the vulnerability, especially compared to a year earlier when it was using year-old vulns.
It is possible the Raspberry Robin team stumbled upon the February exploit and bought that, or someone in-house may have quickly developed their own after spotting it in Microsoft's update list, but this is seen as the less likely option.
Another case from earlier in 2023 also pointed to the possibility of Raspberry Robin's ties to sophisticated developers.
Analysis of the malware showed that these exploits were being used as external 64-bit executables, which to the CPR researchers indicates that they were bought rather than developed in-house.
The fact that these executables were 64-bit only hints towards outside development, since Raspberry Robin was developed for both 32-bit and 64-bit architectures.
The abuses also didn't use the same high degree of obfuscation techniques as Raspberry Robin's main component does, such as control flow flattening and variable masking.
Raspberry Robin plays an important role in the world of cybercrime and is trusted by many of the major criminal groups that are tracked by security researchers, such as EvilCorp, TA505, IcedID, and various ransomware affiliates.
Last year it was named as one of the three malware loaders that were jointly responsible for 80 percent of cyberattacks between January and August 2023, alongside QBot and SocGholish.
In publishing its suspicions about Raspberry Robin's shift toward buying exploits, CPR also found an array of new features had been added.
The malware is well known for its regular updates, especially focused on anti-evasion techniques, and the latest version is no different.
It comes loaded with new methods to prevent researchers from analyzing its inner workings as well as new routines for surviving system shutdowns.
Minor updates to its communication and lateral movement logic have also made it through the pipeline.
This Cyber News was published on go.theregister.com. Publication date: Thu, 08 Feb 2024 17:43:04 +0000