Since its emergence in September 2021, the Raspberry Robin worm has been constantly under development with new functionalities. In the latest update, Security Joes found a highly obfuscated variant of the malware targeting the financial and insurance services in Europe.
Diving into details
With new upgrades, the operators are suddenly collecting more victim data than usual, especially from Portuguese and Spanish-speaking organizations.
- Security Joes studied one such attack and found that attackers downloaded a 7-Zip file—containing an MSI installer file designed to drop multiple modules— via the victim's browser.
- In another founding, hackers tricked a victim to download a ZIP file through a fraudulent ad displayed over a malicious domain page.
- The archive file was fetched from a Discord server that contained encoded JavaScript code and drops a downloader hidden under multiple layers of obfuscation and encryption.
Furthermore, the different version of the malware is several times more complicated and the C2 beaconing has a strong RC4 encrypted payload.
Discussing the upgrades
Raspberry Robin has reportedly upgraded its post-exploitation capabilities that include detection evasion, lateral movement, and leveraging trusted cloud infrastructures of Discord, GitHub, and Azure, among others.
- Raspberry Robin developers have added extra code obfuscation and other features to avoid security tools and analysis.
- Its malware protection mechanism has at least five layers before the actual malicious code is executed.
- While the shellcode downloader usually fetches extra executables, its latest updates allow it to deploy payloads as per the victim profile, sometimes even delivering fake malware.
Raspberry Robin in news
In December 2022, the worm was found using new detection evasion tactics, including the delivery of fake malware.
- From October to November 2022, Raspberry Robin targeted telcos and government entities in Australia, Argentina, India, France, Brazil, Mexico, Colombia, and Croatia.
- The real payload in this campaign was hidden under 10 layers of obfuscation and had an embedded custom Tor client for internal communication.
The bottom line
Raspberry Robin has been constantly upping its game by upgrading its capabilities to become a notorious threat. Security Joes has published the IOCs required for analysts at financial and insurance services in Europe to update their defense mechanism against this threat.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/c523_shutterstock_717642886.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_472877077.jpg)
