The operators of Raspberry Robin are actually utilizing two new one-day exploits to realize native privilege escalation, even because the malware continues to be refined and improved to make it stealthier than earlier than.
Which means “Raspberry Robin has entry to an exploit vendor or its authors develop the exploits themselves in a brief time period,” Test Level mentioned in a report this week.
Raspberry Robin (aka QNAP worm), first documented in 2021, is an evasive malware household that is identified to behave as one of many prime preliminary entry facilitators for different malicious payloads, together with ransomware.
Attributed to a risk actor named Storm-0856 (beforehand DEV-0856), it is propagated by way of a number of entry vectors, together with contaminated USB drives, with Microsoft describing it as a part of a “advanced and interconnected malware ecosystem” with ties to different e-crime teams like Evil Corp, Silence, and TA505.
Raspberry Robin’s use of one-day exploits resembling CVE-2020-1054 and CVE-2021-1732 for privilege escalation was beforehand highlighted by Test Level in April 2023.
The cybersecurity agency, which detected “giant waves of assaults” since October 2023, mentioned the risk actors have applied further anti-analysis and obfuscation strategies to make it tougher to detect and analyze.
“Most significantly, Raspberry Robin continues to make use of completely different exploits for vulnerabilities both earlier than or solely a short while after they had been publicly disclosed,” it famous.
“These one-day exploits weren’t publicly disclosed on the time of their use. An exploit for one of many vulnerabilities, CVE-2023-36802, was additionally used within the wild as a zero-day and was offered on the darkish net.”
A report from Cyfirma late final 12 months revealed that an exploit for CVE-2023-36802 was being marketed on darkish net boards in February 2023. This was seven months earlier than Microsoft and CISA launched an advisory on energetic exploitation. It was patched by the Home windows maker in September 2023.
Raspberry Robin is claimed to have began using an exploit for the flaw someday in October 2023, the identical month a public exploit code was made accessible, in addition to for CVE-2023-29360 in August. The latter was publicly disclosed in June 2023, however an exploit for the bug didn’t seem till September 2023.
It is assessed that the risk actors buy these exploits reasonably than growing them in-house owing to the truth that they’re used as an exterior 64-bit executable and usually are not as closely obfuscated because the malware’s core module.
“Raspberry Robin’s means to shortly incorporate newly disclosed exploits into its arsenal additional demonstrates a big risk degree, exploiting vulnerabilities earlier than many organizations have utilized patches,” the corporate mentioned.
One of many different important adjustments considerations the preliminary entry pathway itself, leveraging rogue RAR archive recordsdata containing Raspberry Robin samples which can be hosted on Discord.
Additionally modified within the newer variants is the lateral motion logic, which now makes use of PAExec.exe as an alternative of PsExec.exe, and the command-and-control (C2) communication technique by randomly selecting a V3 onion tackle from a listing of 60 hardcoded onion addresses.
“It begins with making an attempt to contact legit and well-known Tor domains and checking if it will get any response,” Test Level defined. “If there isn’t a response, Raspberry Robin would not attempt to talk with the true C2 servers.”
