Recent iterations of Raspberry Robin malware have become more covert, integrating one-day exploits that are selectively deployed on vulnerable systems. One-day exploits exploit vulnerabilities in software that have been recently patched by developers but remain unaddressed on some systems. Threat actors swiftly develop exploits once vulnerabilities are disclosed to exploit them before widespread patch deployment.
Check Point’s report reveals that Raspberry Robin has recently utilized at least two exploits targeting one-day vulnerabilities, suggesting either the capability to develop such code or access to external sources providing it. Raspberry Robin, initially identified by Red Canary in 2021, propagates mainly via removable storage devices like USB drives, establishing a foothold on infected systems to facilitate additional payload deployment.
Although associated with various threat actors, Raspberry Robin’s creators and maintainers remain unidentified. The malware has continuously evolved, incorporating new features, evasion tactics, and distribution methods. Notably, recent campaigns have seen a surge in activity, with large-scale attacks globally. One significant shift is the use of Discord to disseminate malicious archive files, likely after sending links via email.
Upon execution, Raspberry Robin attempts to elevate privileges on the host system using one-day exploits. The latest campaign exploits vulnerabilities such as CVE-2023-36802 and CVE-2023-29360, targeting Microsoft Streaming Service Proxy and Windows TPM Device Driver, respectively. Check Point notes that Raspberry Robin exploited these flaws shortly after their public disclosure, indicating access to timely exploit resources.
The malware’s evasion techniques have also advanced, including the termination of specific processes, patching API calls, and thwarting system shutdown attempts. Raspberry Robin conceals its command and control (C2) communications by randomly connecting to predefined Tor domains before establishing contact with the actual C2 server. Furthermore, the malware now utilizes PAExec.exe instead of PsExec.exe for payload retrieval, likely to enhance stealth.
Check Point anticipates Raspberry Robin’s continued evolution, with the addition of new exploits to its arsenal. The malware operators likely obtain exploit code from external sources, as evidenced by their rapid adoption of newly disclosed vulnerabilities. Check Point provides indicators of compromise for identifying Raspberry Robin infections, including malware hashes, Tor network domains, and Discord URLs hosting malicious archives.
