New versions of the Raspberry Robin malware now have increased stealth and incorporate one-day exploits, which are utilised exclusively on vulnerable systems susceptible to these vulnerabilities. One-day exploits exploit vulnerabilities that software developers have recently patched, but these fixes may not have been universally deployed or implemented on all susceptible systems.
Once a vendor discloses a vulnerability, typically alongside the release of a patch, threat actors swiftly move to develop an exploit and deploy it before the fix reaches a significant portion of systems.
According to recent findings, Raspberry Robin has recently exploited at least two one-day vulnerabilities, suggesting that the malware operator possesses the capability to develop such code or has access to sources providing it.
Background of Raspberry Robin
Initially identified in 2021, Raspberry Robin functions as a worm primarily disseminated through removable storage devices like USB drives. Its objective is to establish a foothold on compromised systems and facilitate the dissemination of additional payloads.
Although associated with threat actors like EvilCorp, FIN11, TA505, the Clop ransomware gang, and other malware operations, the creators and maintainers of Raspberry Robin remain unidentified.
Since its emergence, Raspberry Robin has continuously evolved, incorporating new functionalities, evasion tactics, and employing various distribution methods. For instance, it has utilised deceptive techniques such as dropping fake payloads to confound researchers.
It has been indicated that there has been an increase in Raspberry Robin's activities since October 2023, marked by substantial attack waves targeting systems globally.
A significant shift in recent campaigns involves leveraging the Discord platform to distribute malicious archive files to targets, likely distributed via email links. These archives contain a digitally signed executable (OleView.exe) and a malicious DLL file (aclui.dll) that is side-loaded upon execution, enabling Raspberry Robin's infiltration into the system.
Targeting "n-day" vulnerabilities
Upon execution on a target system, Raspberry Robin immediately endeavours to elevate privileges using an array of one-day exploits.
The latest Raspberry Robin campaign exploits vulnerabilities for CVE-2023-36802 and CVE-2023-29360, targeting local privilege escalation in Microsoft Streaming Service Proxy and the Windows TPM Device Driver, respectively.
According to researchers, Raspberry Robin began exploiting these vulnerabilities with previously undisclosed exploits within a month of their public disclosure on June 13 and September 12, 2023, respectively.
Raspberry Robin exploited both vulnerabilities before security researchers initially released proof-of-concept exploit code for them.
Regarding CVE-2023-36802, which facilitates attackers in escalating their privileges to the SYSTEM level, Cyfirma reported the availability of an exploit for purchase on the Dark Web as early as February 2023—seven months before Microsoft acknowledged and resolved the issue.
This timeline indicates that Raspberry Robin likely acquires one-day exploits from external sources shortly after their disclosure, as their cost as zero-day exploits is likely expensive even for larger cyber crime operations.
More findings support this theory, as the exploits utilised by Raspberry Robin were not integrated into the primary 32-bit component but rather deployed as separate 64-bit executables. Additionally, they lacked the extensive obfuscation typically associated with this malware.
Introduction of new evasion mechanisms
In efforts to elude security measures and operating system defences, the malware now employs tactics such as terminating specific processes like 'runlegacycplelevated.exe,' associated with User Account Control (UAC), and modifying the NtTraceEvent API to avoid detection by Event Tracing for Windows (ETW).
Additionally, Raspberry Robin has incorporated checks to detect potential monitoring processes by security products, such as verifying whether certain APIs like 'GetUserDefaultLangID' and 'GetModuleHandleW' have been tampered with by comparing the first byte of the API function.
A notable new strategy involves the implementation of routines utiliing APIs like 'AbortSystemShutdownW' and 'ShutdownBlockReasonCreate' to hinder system shutdowns that could disrupt the malware's operations.
To obscure the command and control (C2) addresses, the malware initially interacts with one of the 60 pre-defined Tor domains, chosen randomly, which point to well-known sites. This approach aims to make the initial communications appear innocuous.
The researchers anticipate ongoing evolution from Raspberry Robin, as it continues to augment its arsenal with new exploits, likely sourced from undisclosed code. Analysis of the malware suggests that its operators are likely not directly involved in the creation of these exploits, but rather connected to a developer who provides the code.
Check Point have released a report which furnishes a compilation of indicators of compromise for Raspberry Robin, including hashes for the malware, numerous Tor network domains, and Discord URLs for downloading the malicious archive.
