Raspberry Robin Worm Evolves to Assault Monetary and Insurance coverage Sectors in Europe

Jan 03, 2023Ravie LakshmananSubmit-Exploitation / Malware

Raspberry Robin Worm

Monetary and insurance coverage sectors in Europe have been focused by the Raspberry Robin worm, because the malware continues to evolve its post-exploitation capabilities whereas remaining underneath the radar.

“What is exclusive concerning the malware is that it’s closely obfuscated and extremely advanced to statically disassemble,” Safety Joes said in a brand new report printed Monday.

The intrusions, noticed towards Spanish and Portuguese-speaking organizations, are notable for amassing extra sufferer machine information than beforehand documented, with the malware now exhibiting refined methods to withstand evaluation.

Raspberry Robin, additionally referred to as QNAP worm, is being utilized by a number of menace actors as a way to realize a foothold into goal networks. Unfold through contaminated USB drives and different strategies, the framework has been just lately put to make use of in assaults aimed toward telecom and authorities sectors.

Microsoft is monitoring the operators of Raspberry Robin underneath the moniker DEV-0856.

Safety Joes’ forensic investigation into one such assault has revealed using a 7-Zip file, which is downloaded from the sufferer’s browser through social engineering and incorporates an MSI installer file designed to drop a number of modules.

Raspberry Robin Worm

In one other occasion, a ZIP file is alleged to have been downloaded by the sufferer via a fraudulent advert hosted on a website that is identified to distribute adware.

The archive file, saved in a Discord server, incorporates encoded JavaScript code that, upon execution, drops a downloader that is protected with quite a few layers of obfuscation and encryption to evade detection.

The shellcode downloader is primarily engineered to fetch extra executables, nevertheless it has additionally seen vital upgrades that permits it to profile its victims to ship acceptable payloads, in some circumstances even resorting to a type of trickery by serving faux malware.

This entails amassing the host’s Universally Distinctive Identifier (UUID), processor identify, connected show gadgets, and the variety of minutes which have elapsed since system startup, together with the hostname and username info that was gathered by older variations of the malware.

The reconnaissance information is then encrypted utilizing a hard-coded key and transmitted to a command-and-control (C2) server, which responds again with a Home windows binary that is then executed on the machine.

“Not solely did we uncover a model of the malware that’s a number of occasions extra advanced, however we additionally discovered that the C2 beaconing, which used to have a URL with a plaintext username and hostname, now has a strong RC4 encrypted payload,” menace researcher Felipe Duarte stated.

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.