Other Hackers can Repurpose Raspberry Robin Botnet's Infrastructure

Diving into details

• When a USB drive is inserted and a Windows shortcut (.LNK) file is launched, the msiexec utility is activated, downloading the main obfuscated Raspberry Robin payload from the QNAP instance.
• The use of msiexec to send out HTTP requests to fetch the malware renders it susceptible to hijacking these requests to download another rogue MSI payload, via DNS hijacking attacks or by buying expired known domains.
• Researchers discovered over 270 domain names utilized by this intrusion set, which have been active since the creation of the botnet in July 2021 and were still in use by the end of 2022.

Why this matters

• Raspberry Robin's infrastructure domain resolutions change frequently, moving from one compromised QNAP to another.
• New resolutions occur daily, resulting in new compromised QNAPs being added.
• This constant change makes it challenging for operators to effectively track or neutralize it through sinkholing or tapping methods.
• SEKOIA.IO analysts suspect that Raspberry Robin will remain active, even after domain names expire, as thousands of USB thumb drives have been compromised by it.
• This could potentially lead to a second life for the botnet, as other cybercriminals may take advantage of the existing infrastructure.

That’s not all!

• Earlier this month, researchers discovered a highly-obfuscated Raspberry Robin variant targeting financial and insurance services in Europe. 
• The malware protection mechanism in this variant has at least five layers before the actual malicious code is executed. 
• In December 2022, the malware was observed implementing new detection evasion methods by hiding behind multiple obfuscation layers and a fake payload. 
• Between October and November, 2022, QNAP worm targeted government and telecom entities in Australia, Mexico, India, Argentina, Croatia, Brazil, Italy, Colombia, and France. 

The bottom line