Raspberry Robin Malware Upgrades with Discord Spread and New Exploits

By neub9
2 Min Read

Feb 09, 2024NewsroomMalware / Dark Web

The operators of Raspberry Robin have started utilizing two new one-day exploits to achieve local privilege escalation, all while continuing to refine and improve the malware for enhanced stealth.

Check Point, in areport this week, noted that “Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time.”

Raspberry Robin (aka QNAP worm), first documented in 2021, serves as an initial access facilitator for other malicious payloads, including ransomware, and is known to be operated by a threat actor named Storm-0856 (previously DEV-0856).

Raspberry Robin’s use of one-day exploits such as CVE-2020-1054 and CVE-2021-1732 for privilege escalation was previously highlighted by Check Point in April 2023.

The cybersecurity firm reported the usage of anti-analysis and obfuscation techniques by the threat actors to evade detection and analysis.

Areport from Cyfirma late last year revealed that an exploit for CVE-2023-36802 was being advertised on dark web forums in February 2023, months before it was patched by Microsoft.

Raspberry Robin began utilizing an exploit for the flaw sometime in October 2023, the same month a public exploit code was made available, and a bug for CVE-2023-29360 surfaced in September 2023.

The threat actors are assessed to purchase these exploits rather than developing them in-house, indicating the threat level and rapid adoption of newly disclosed exploits into its arsenal by Raspberry Robin.

Raspberry Robin has also made significant changes to its lateral movement logic and command-and-control communication method in its newer variants.

“Raspberry Robin’s ability to quickly incorporate newly disclosed exploits into its arsenal further demonstrates a significant threat level, exploiting vulnerabilities before many organizations have applied patches,” Check Point explained.

If you found this article interesting, follow us on Twitter and LinkedIn to read more exclusive content we post.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *