Recent versions of the Raspberry Robin malware are stealthier and implement one-day exploits that are deployed only on systems that are susceptible to them.
One-day exploits refer to code that leverages a vulnerability that the developer of the impacted software patched recently but the fix has either not been deployed to all clients or it has not been applied on all vulnerable systems.
According to a report from Check Point, Raspberry Robin has recently used at least two exploits for 1-day flaws, which indicates that the malware operator either has the capability to develop the code or has sources that provide it.
Raspberry Robin is a worm that Red Canary, a managed detection and response company, first identified in 2021.
Since its discovery, Raspberry Robin has continuously evolved, adding new features, evasion techniques, and adopting several distribution methods.
Check Point reports that it has observed an uptick in Raspberry Robin's operations starting October 2023, with large attack waves targeting systems worldwide.
The archives contain a digitally signed executable and a malicious DLL file that is side-loaded when the victim runs the executable, thus activating Raspberry Robin in the system.
When Raspberry Robin is first run on a computer, it will automatically attempt to elevate privileges on the device using a variety of 1-day exploits.
Check Point highlights that the new Raspberry Robin campaign leverages exploits for CVE-2023-36802, and CVE-2023-29360, two local privilege escalation vulnerabilities in Microsoft Streaming Service Proxy and the Windows TPM Device Driver.
In both cases, the researchers say, Raspberry Robin started exploiting the flaws using a then-unknown exploit less than a month after the security issues were disclosed publicly, on June 13 and September 12, 2023.
As illustrated in the timeline diagram below, Raspberry Robin exploited the two flaws before security researchers first published proof of concept exploit code for the two flaws.
Specifically, regarding CVE-2023-36802, which enables attackers to escalate their privileges to the SYSTEM level, Cyfirma reported that an exploit had been available for purchase on the Dark Web since February 2023, a full seven months before Microsoft acknowledged and addressed the issue.
This timeline suggests that Raspberry Robin acquires 1-day exploits from external sources almost immediately after their disclosure, as their cost as zero days is likely too much even for larger cybercrime operations.
Check Point found evidence that points to this theory as well, since the exploits used by Raspberry Robin were not embedded into the main 32-bit component, but deployed as external 64-bit executables, and also lack the heavy obfuscation typically seen with this malware.
Check Point's report also highlights several advancements in the latest Raspberry Robin variants, which include new anti-analysis, evasion, and lateral movement mechanisms.
Raspberry Robin now checks if certain APIs, like 'GetUserDefaultLangID' and 'GetModuleHandleW', are hooked by comparing the first byte of the API function to detect any monitoring processes by security products.
The researchers believe that Raspberry Robin will keep evolving and add new exploits to its arsenal, seeking code that has not been released publicly.
Based on observations during the malware analysis, it is likely that the operators of the malware does not create is connected to a developer that provides the exploit code.
Check Point's report provides a list of indicators of compromise for Raspberry Robin, which consists in hashes for the malware, multiple domains in the Tor network, and Discord URLs for downloading the malicious archive.
QNAP VioStor NVR vulnerability actively exploited by malware botnet.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 10 Feb 2024 15:15:09 +0000