Raspberry Robin Malware Uses N-Day Exploits, Advanced Evasion

Recent iterations of the Raspberry Robin malware have raised alarm among cybersecurity experts due to their increased stealth and utilization of one-day (n-day, or known) exploits targeting vulnerable systems. These exploits, designed to leverage recently patched vulnerabilities, capitalize on delays in patch deployment, presenting a significant challenge for defenders.

Technical Overview of Raspberry Robin

Raspberry Robin, initially identified by Red Canary in 2021, operates as a worm primarily transmitted through removable storage devices like USB drives. While its creators remain unidentified, the malware has been linked to various threat actors, including known ransomware gangs such as EvilCorp and FIN11. Over time, Raspberry Robin has evolved, incorporating new evasion techniques and distribution methods, such as dropping malicious archive files via Discord.

Exploiting N-Day Vulnerabilities

Recent campaigns of Raspberry Robin have demonstrated a sophisticated approach to exploiting n-day flaws, such as CVE-2023-36802 and CVE-2023-29360, targeting Microsoft Streaming Service Proxy and the Windows TPM Device Driver, respectively. Notably, the malware began leveraging these vulnerabilities shortly after their public disclosure, indicating swift adaptation and access to exploit code sources.

Check Point’s report highlights that Raspberry Robin started exploiting these vulnerabilities using then-unknown exploits less than a month after their public disclosure, on June 13 and September 12, 2023. This rapid turnaround suggests that the operators of the malware have access to exploit code sources soon after their disclosure, likely from external vendors or underground markets.

Regarding CVE-2023-36802, which allows attackers to elevate privileges to the SYSTEM level, an exploit had reportedly been available for purchase on the Dark Web since February 2023, several months before Microsoft acknowledged and addressed the issue. This timeline shows Raspberry Robin’s agility in acquiring and utilizing exploits shortly after their disclosure.

Using Advanced Evasion Tactics

In addition to exploiting vulnerabilities, the malware has evolved its evasion tactics to bypass security measures effectively. It terminates specific processes related to User Account Control (UAC) and patches APIs to evade detection by security products. Moreover, the malware employs tactics to prevent system shutdowns, ensuring uninterrupted malicious activity.

Check Point’s report also notes that Raspberry Robin now checks if certain APIs, such as ‘GetUserDefaultLangID’ and ‘GetModuleHandleW’, are hooked by comparing the first byte of the API function to detect any monitoring processes by security products. This indicates a proactive approach by the malware to evade detection by security tools.

To conceal its communications, the threat utilizes Tor domains to make its initial connections appear innocuous. Furthermore, the malware now employs PAExec.exe instead of PsExec.exe for payload downloads, enhancing its stealth capabilities and evading detection.

Raspberry Robin’s Evolution: Conclusion

As Raspberry Robin continues to evolve, it poses a persistent threat to cybersecurity. With its ability to quickly adapt to new vulnerabilities and evade detection, defending against it requires proactive measures. Check Point’s report offers indicators of compromise to help organizations identify and mitigate the threat posed by Raspberry Robin.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me: