The operators of Raspberry Robin at the moment are utilizing two new one-day exploits to attain native privilege escalation, even because the malware continues to be refined and improved to make it stealthier than earlier than.
Because of this “Raspberry Robin has entry to an exploit vendor or its authors develop the exploits themselves in a brief time frame,” Test Level mentioned in a report this week.
Raspberry Robin (aka QNAP worm), first documented in 2021, is an evasive malware household that is recognized to behave as one of many prime preliminary entry facilitators for different malicious payloads, together with ransomware.
Attributed to a menace actor named Storm-0856 (beforehand DEV-0856), it is propagated by way of a number of entry vectors, together with contaminated USB drives, with Microsoft describing it as a part of a “complicated and interconnected malware ecosystem” with ties to different e-crime teams like Evil Corp, Silence, and TA505.
Raspberry Robin’s use of one-day exploits equivalent to CVE-2020-1054 and CVE-2021-1732 for privilege escalation was beforehand highlighted by Test Level in April 2023.
The cybersecurity agency, which detected “giant waves of assaults” since October 2023, mentioned the menace actors have applied further anti-analysis and obfuscation methods to make it tougher to detect and analyze.
“Most significantly, Raspberry Robin continues to make use of completely different exploits for vulnerabilities both earlier than or solely a short while after they have been publicly disclosed,” it famous.
“These one-day exploits weren’t publicly disclosed on the time of their use. An exploit for one of many vulnerabilities, CVE-2023-36802, was additionally used within the wild as a zero-day and was bought on the darkish internet.”
A report from Cyfirma late final yr revealed that an exploit for CVE-2023-36802 was being marketed on darkish internet boards in February 2023. This was seven months earlier than Microsoft and CISA launched an advisory on energetic exploitation. It was patched by the Home windows maker in September 2023.
Raspberry Robin is alleged to have began using an exploit for the flaw someday in October 2023, the identical month a public exploit code was made out there, in addition to for CVE-2023-29360 in August. The latter was publicly disclosed in June 2023, however an exploit for the bug didn’t seem till September 2023.
It is assessed that the menace actors buy these exploits somewhat than creating them in-house owing to the truth that they’re used as an exterior 64-bit executable and should not as closely obfuscated because the malware’s core module.
“Raspberry Robin’s skill to rapidly incorporate newly disclosed exploits into its arsenal additional demonstrates a big menace stage, exploiting vulnerabilities earlier than many organizations have utilized patches,” the corporate mentioned.
One of many different vital adjustments considerations the preliminary entry pathway itself, leveraging rogue RAR archive information containing Raspberry Robin samples which might be hosted on Discord.
Additionally modified within the newer variants is the lateral motion logic, which now makes use of PAExec.exe as a substitute of PsExec.exe, and the command-and-control (C2) communication technique by randomly selecting a V3 onion deal with from an inventory of 60 hardcoded onion addresses.
“It begins with making an attempt to contact legit and well-known Tor domains and checking if it will get any response,” Test Level defined. “If there isn’t a response, Raspberry Robin would not attempt to talk with the actual C2 servers.”