Even while Raspberry Robin's malware is still being honed and enhanced to become even stealthier, its operators are already employing two additional one-day exploits to accomplish local privilege escalation. As per a Check Point analysis, this specifies that "Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period."
One of the most prominent first access facilitators for other malicious payloads is the elusive malware family known as Raspberry Robin. Storm-0856 is the threat actor responsible for its propagation through several entry vectors. According to Microsoft, the malware is part of a "Complex & Interconnected Malware Ecosystem" that has connections to other cybercrime groups.
Check Point first brought attention to Raspberry Robin's usage of one-day flaws like CVE-2020-1054 & CVE-2021-1732 for privilege escalation in April 2023. According to the cybersecurity company, to evade detection and analysis, threat actors have adopted more anti-analysis and obfuscation strategies.
"Most importantly, Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed. When those one-day exploits were used, they were not made public at the time. One of the vulnerabilities' exploits, CVE-2023-36802, was also sold on the dark web and exploited as a zero-day attack in the wild." it stated.
An exploit for CVE-2023-36802 was being promoted on dark web forums in February 2023, according to a study. This occurred seven months before the publication of an advisory on active exploitation by Microsoft and CISA. In September 2023, the manufacturer of Windows patched it.
It is reported that Raspberry Robin began using an exploit for the vulnerability sometime in October 2023, the same month that the public exploit code for CVE-2023-29360 was released. The bug's exploit was not made public until September 2023, despite the latter being made known to the public in June 2023.
Because these exploits are employed as an external 64-bit executable and are not as thoroughly obfuscated as the malware's core module, it is estimated that the threat actors buy these exploits rather than create them internally.
"Raspberry Robin's ability to quickly incorporate newly disclosed exploits into its arsenal further demonstrates a significant threat level, exploiting vulnerabilities before many organizations have applied patches," the business stated.
Another big update is to the original access path, which makes use of malicious RAR archive files that store Raspberry Robin samples on Discord. The lateral movement mechanism, which now employs PAExec.exe rather than PsExec.exe, and the Command-and-Control (C2) communication method, which selects a V3 onion address at random from a list of 60 hardcoded onion addresses, have also been altered in the most recent versions.
"It starts with trying to contact legitimate and well-known Tor domains and checking if it gets any response. If there is no response, Raspberry Robin doesn't try to communicate with the real C2 servers." Check Point said.