Raspberry Robin Keeps Riding the Wave of Endless Zero-days

Researchers from Checkpoint have released a new report on the evolution of Raspberry Robin malware. The latest strains are stealthier and implement various 1-day exploits that are deployed on specific vulnerable systems. 1-day exploits are similar to zero-day exploits, but have a public disclosure and/or patch available by the vendor. Even though a patch may be available, threat actors will exploit these vulnerabilities soon after disclosure, before victims have installed the patch.

Checkpoint says Raspberry Robin has recently used at least two exploits for 1-day flaws, which shows a level of developmental sophistication either by the operator or from sources assisting in it’s creation. From the moment the vendor discloses the vulnerability, which usually comes with publishing a patch, threat actors rush to create an exploit and use it before the fix propagates to a large number of systems. This has been true for Raspberry Robin malware, which has implemented the exploitations in recent campaigns.

The malware shows a high level of sophistication and steady evolutions, adding new features, evasion techniques, and adopting several distribution methods. Recently, the malware as seen dropping fake payloads to confuse security researchers.

Security Officer Comments:
Raspberry Robin was first discovered in 2021, it typically spreads via removable storage devices like USBs to establish persistence on infected systems, and eventually drops additional payloads. It has been associated with several threat actors, notably EvilCorp, FIN11, TA505, and the Clop ransomware group. It’s creators and maintainers are unknown.

Since October of 2023, Checkpoint says they noticed large waves of attacks targeting systems worldwide. This latest campaign, which appears to be opportunistic and financially motivated, is using Discord to drop malicious archive files onto victim systems, after emailing the links to the target.

The archives contain a digitally signed executable (OleView[.]exe) and a malicious DLL file (aclui[.]dll) that is side-loaded when the victim runs the executable, thus activating Raspberry Robin in the system.

After Raspberry Robin is executed on the system, it will elevate it’s privileges using recent 1-day exploits, based on the victims environment. Check Point highlights that the new Raspberry Robin campaign leverages exploits for CVE-2023-36802, and CVE-2023-29360, two local privilege escalation vulnerabilities in Microsoft Streaming Service Proxy and the Windows TPM Device Driver. In both cases, the researchers say, Raspberry Robin started exploiting the flaws using a then-unknown exploit less than a month after the security issues were disclosed publicly, on June 13 and September 12, 2023.

Checkpoint believes the developers of Raspberry Robin are acquiring the 1-day exploits from external sources almost immediately after their disclosure. Zero-days with no disclosure or patching may be too sophisticated for the group to discover, or too expensive to purchase even for the larger cybercrime operation.

Aside from the 1-day exploits, Raspberry Robin has also added several new tools for defense evasion:

  • To evade security tools and OS defenses, the malware now attempts to terminate specific processes like 'runlegacycplelevated.exe,' related to Use Account Control (UAC), and patches the NtTraceEvent API to evade detection by Event Tracing for Windows (ETW).
  • Raspberry Robin now checks if certain APIs, like 'GetUserDefaultLangID' and 'GetModuleHandleW', are hooked by comparing the first byte of the API function to detect any monitoring processes by security products.
  • Implementation of routines that use APIs like 'AbortSystemShutdownW' and 'ShutdownBlockReasonCreate' to prevent system shutdowns that could interrupt the malware's activity.
  • To conceal the command and control (C2) addresses, the malware first randomly engages with one of the 60 hard-coded Tor domains pointing to well-known sites to make initial communications appear benign.
  • Raspberry Robin now uses PAExec[.]exe instead of PsExec[.]exe to download the payload directly from the hosting location. This decision was likely made to increase its stealth, as PsExec[.]exe is known to be misused by hackers.

Suggested Corrections:
Check Point's report provides a list of indicators of compromise for Raspberry Robin, which consists in hashes for the malware, multiple domains in the Tor network, and Discord URLs for downloading the malicious archive.