Hacking groups are using a new version of the Raspberry Robin framework to attack Spanish and Portuguese-language based financial institutions — and it’s complexity quotient has been significantly upgraded, researchers said this week.
According to a Jan. 2 report from cybersecurity firm Security Joes, the group has used the same QNAP server for several rounds of attacks — but victim data is no longer in plaintext but rather RC4-encrypted, and the downloader mechanism has been updated with new anti-analysis capabilities, including more obfuscation layers.
Raspberry Robin is a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a target’s network, acting as a loader for other malware. Since being spotted nesting in corporate networks in May, it has gone on to rapidly infect thousands and thousands of endpoints — and the species is rapidly evolving.
The threat actor behind the worm is thought to be part of larger ecosystem facilitating preransomware activity and is considered one of the largest malware distribution platforms currently active. Researchers recently linked it to Evil Corp, for instance, thanks to its significant similarities to the Dridex malware loader.
“What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble,” the research team wrote.
Upgraded Malware Version Takes Flight
In the latest iteration, the malware protection mechanism has been upgraded to deploy at least five layers of protection before the malicious code is deployed, including a first-stage packer to obscure the code of the next stages of the attack followed by a shellcode loader.
The next three layers include a second-stage loader DLL, intermediate shellcode, and finally the shellcode downloader. This complex framework makes the worm more difficult to detect and simultaneously eases lateral movement through networks, the researchers explained.
The research also indicated Raspberry Robin operators have began to collect more data about their victims than earlier reported.
“Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plain-text username and hostname, now has a robust RC4 encrypted payload,” wrote senior threat researcher Felipe Duarte, who led the investigation.
In one case, the research team documented how a 7-Zip file was downloaded from the victim’s browser, potentially from a malicious link or attachment that tricked the user into acting.
“Upon inspection, the archive was found to be an MSI installer that, when executed, drops several files onto the victim’s machine,” the report noted.
In a second case, the malicious payload was hosted on a Discord server, which was used by the threat actors to deliver malware onto the victim’s machine, to avoid detection and bypass security controls.
“In the cases we investigated, threat actors decided to implement additional validations on their backend to have a better segmentation and visibility of their targets,” the report noted. “This allows them to filter bots running in sandboxes, analyze environments and respond to any other circumstance that could interfere a segment of the botnet operation, to fix it in real-time.”
Raspberry Robin Makes the Rounds
The threat is flighty, following a pattern of appearing, disappearing, then reappearing with significantly upgraded capabilities.
Security firm Red Canary first analyzed and named Raspberry Robin in May, noting that it was infecting targets via malicious USB drives and worming to other endpoints — but then remaining dormant.
Subsequent reports then found Raspberry Robin worm to have added 10 layers of obfuscation and fake payloads, in order to launch attacks against telecommunications companies and governments across Australia, Europe, and Latin America, according to a December research report from Trend Micro.
Soon after, it came to the attention of other researchers, including IBM Security and the Microsoft Security Threat Intelligence Center (MSTIC); the latter is monitoring the operators of the Raspberry Robin worm under the moniker DEV-0856.