Recent versions of the Raspberry Robin malware have become more covert and employ one-day exploits that specifically target vulnerable systems.
One-day exploits refer to code that takes advantage of vulnerabilities in software that have been recently patched by the developer, but the fix has not been applied to all affected systems.
When a vulnerability is disclosed by the vendor and a patch is released, threat actors quickly create exploits to exploit the vulnerability before the patch is widely implemented.
A recent report from Check Point reveals that Raspberry Robin has utilized at least two exploits for one-day vulnerabilities, indicating that the malware operator possesses the capability to develop such code or has access to external sources that provide it.
Details of Raspberry Robin Malware
Raspberry Robin malware is a worm that was initially detected by Red Canary, a managed detection and response company, in 2021. Its primary method of spreading is through removable storage devices, such as USB drives, which allows it to gain a foothold on infected systems and facilitate the deployment of additional malicious payloads.
Although Raspberry Robin has been associated with threat actors like EvilCorp, FIN11, TA505, the Clop ransomware gang, and other malware operations, the identity of its creators and maintainers remains unknown.
Since its discovery, Raspberry Robin malware has undergone continuous evolution, incorporating new features, evasion techniques, and adopting various distribution methods. One notable evasion tactic it employs is dropping fake payloads, which serves to mislead and confuse researchers during analysis.
According to Check Point’s findings, there has been a significant increase in Raspberry Robin’s activities since October 2023, with widespread attacks targeting systems globally. Notably, the malware has adopted a new approach in recent campaigns by utilizing the Discord platform to distribute malicious archive files to its targets, likely by sending email links.
These archives consist of a digitally signed executable called OleView.exe and a malicious DLL file named aclui.dll. When the victim executes the OleView.exe file, the malicious DLL is loaded alongside it, thereby activating the Raspberry Robin malware within the system.
Targeting One-day Exploits
Upon execution, Raspberry Robin employs a range of one-day exploits to automatically attempt to gain elevated privileges on the targeted device. Check Point has identified a new Raspberry Robin campaign that exploits vulnerabilities, namely CVE-2023-36802 and CVE-2023-29360. These vulnerabilities involve local privilege escalation in Microsoft Streaming Service Proxy and the Windows TPM Device Driver, respectively.
Researchers have noted that Raspberry Robin malware began exploiting these vulnerabilities, using previously unknown exploits, within a month of their public disclosure. The vulnerabilities were made public on June 13 and September 12, 2023.
As illustrated in the timeline diagram, Raspberry Robin malware can exploit the two vulnerabilities even before security researchers publicly shared proof of concept exploit code for them.
In the case of CVE-2023-36802, which allows attackers to escalate their privileges to the SYSTEM level, Cyfirma reported that an exploit had been available for purchase on the Dark Web as early as February 2023. This was seven months prior to Microsoft’s acknowledgment and resolution of the issue.
This timeline suggests that Raspberry Robin quickly obtains one-day exploits from external sources shortly after their disclosure. It is likely that the cost of acquiring zero-day exploits is prohibitively high even for larger cybercrime operations.
Check Point’s investigation supports the theory that Raspberry Robin acquires exploits from external sources. They discovered that the exploits utilized by Raspberry Robin were not integrated into the primary 32-bit component of the malware.
Instead, they were deployed as external 64-bit executables. Furthermore, these exploits lacked the usual heavy obfuscation commonly observed with this malware. Such findings suggest that Raspberry Robin malware obtains the exploits separately, highlighting its reliance on external sources for these specific attack vectors.
New Evasion Mechanisms of the Raspberry Robin Malware
According to Check Point’s report, the latest variants of Raspberry Robin have made significant advancements in their capabilities. These include the implementation of new mechanisms for anti-analysis, evasion, and lateral movement.
To bypass security tools and operating system defenses, the malware now employs tactics such as terminating specific processes like ‘runlegacycplelevated.exe,’ which is associated with User Account Control (UAC). Additionally, it patches the NtTraceEvent API to avoid detection by Event Tracing for Windows (ETW).
Moreover, Raspberry Robin malware has introduced additional techniques to enhance its evasion capabilities. It now includes checks to identify if specific APIs, such as ‘GetUserDefaultLangID’ and ‘GetModuleHandleW,’ have been hooked. This is achieved by comparing the first byte of the API function, allowing the malware to detect monitoring processes used by security products.
Another noteworthy tactic is the implementation of routines utilizing APIs like ‘AbortSystemShutdownW’ and ‘ShutdownBlockReasonCreate.’ These routines prevent system shutdowns that could potentially interrupt the malicious activities of the malware.
In an effort to conceal its command and control (C2) addresses, Raspberry Robin employs a clever strategy. It randomly engages with one of the 60 pre-defined Tor domains that point to well-known sites. This approach helps mask the initial communications and make them appear innocuous.
In a bid to enhance its stealth, Raspberry Robin has made a notable change by utilizing PAExec.exe instead of PsExec.exe to directly download the payload from the hosting location. This decision was likely made to avoid detection, as PsExec.exe is commonly exploited by hackers.
The researchers predict that Raspberry Robin will continue to evolve and incorporate new exploits into its arsenal. They believe that the malware operators are actively seeking non-publicly released code to stay ahead. Based on their analysis of the malware, it appears that the operators are not directly involved in developing the exploit code but are connected to a developer who provides it.
Check Point’s report includes a list of indicators of compromise for Raspberry Robin. These indicators include malware hashes, multiple domains within the Tor network, and Discord URLs used for downloading the malicious archive. These indicators can aid in identifying and responding to the presence of the malware.