The operators of Raspberry Robin are actually utilizing two new one-day exploits to realize native privilege escalation, even because the malware continues to be refined and improved to make it stealthier than earlier than.
Which means that “Raspberry Robin has entry to an exploit vendor or its authors develop the exploits themselves in a brief time frame,” Examine Level mentioned in a report this week.
Raspberry Robin (aka QNAP worm), first documented in 2021, is an evasive malware household that is identified to behave as one of many prime preliminary entry facilitators for different malicious payloads, together with ransomware.
Attributed to a risk actor named Storm-0856 (beforehand DEV-0856), it is propagated by way of a number of entry vectors, together with contaminated USB drives, with Microsoft describing it as a part of a “advanced and interconnected malware ecosystem” with ties to different e-crime teams like Evil Corp, Silence, and TA505.
Raspberry Robin’s use of one-day exploits comparable to CVE-2020-1054 and CVE-2021-1732 for privilege escalation was beforehand highlighted by Examine Level in April 2023.
The cybersecurity agency, which detected “massive waves of assaults” since October 2023, mentioned the risk actors have applied further anti-analysis and obfuscation strategies to make it tougher to detect and analyze.
“Most significantly, Raspberry Robin continues to make use of totally different exploits for vulnerabilities both earlier than or solely a short while after they have been publicly disclosed,” it famous.
“These one-day exploits weren’t publicly disclosed on the time of their use. An exploit for one of many vulnerabilities, CVE-2023-36802, was additionally used within the wild as a zero-day and was bought on the darkish net.”
A report from Cyfirma late final yr revealed that an exploit for CVE-2023-36802 was being marketed on darkish net boards in February 2023. This was seven months earlier than Microsoft and CISA launched an advisory on lively exploitation. It was patched by the Home windows maker in September 2023.
Raspberry Robin is claimed to have began using an exploit for the flaw someday in October 2023, the identical month a public exploit code was made accessible, in addition to for CVE-2023-29360 in August. The latter was publicly disclosed in June 2023, however an exploit for the bug didn’t seem till September 2023.
It is assessed that the risk actors buy these exploits slightly than growing them in-house owing to the truth that they’re used as an exterior 64-bit executable and aren’t as closely obfuscated because the malware’s core module.
“Raspberry Robin’s capability to rapidly incorporate newly disclosed exploits into its arsenal additional demonstrates a big risk degree, exploiting vulnerabilities earlier than many organizations have utilized patches,” the corporate mentioned.
One of many different vital modifications considerations the preliminary entry pathway itself, leveraging rogue RAR archive information containing Raspberry Robin samples which can be hosted on Discord.
Additionally modified within the newer variants is the lateral motion logic, which now makes use of PAExec.exe as a substitute of PsExec.exe, and the command-and-control (C2) communication methodology by randomly selecting a V3 onion deal with from a listing of 60 hardcoded onion addresses.
“It begins with attempting to contact respectable and well-known Tor domains and checking if it will get any response,” Examine Level defined. “If there is no such thing as a response, Raspberry Robin does not attempt to talk with the actual C2 servers.”
