Summary:
Researchers from Checkpoint have released a new report on the evolution of Raspberry Robin malware. The latest strains are stealthier and implement various 1-day exploits that are deployed on specific vulnerable systems. 1-day exploits are similar to zero-day exploits, but have a public disclosure and/or patch available by the vendor. Even though a patch may be available, threat actors will exploit these vulnerabilities soon after disclosure, before victims have installed the patch.

Checkpoint says Raspberry Robin has recently used at least two exploits for 1-day flaws, which shows a level of developmental sophistication either by the operator or from sources assisting in it’s creation. From the moment the vendor discloses the vulnerability, which usually comes with publishing a patch, threat actors rush to create an exploit and use it before the fix propagates to a large number of systems. This has been true for Raspberry Robin malware, which has implemented the exploitations in recent campaigns.

The malware shows a high level of sophistication and steady evolutions, adding new features, evasion techniques, and adopting several distribution methods. Recently, the malware as seen dropping fake payloads to confuse security researchers.

Security Officer Comments:
Raspberry Robin was first discovered in 2021, it typically spreads via removable storage devices like USBs to establish persistence on infected systems, and eventually drops additional payloads. It has been associated with several threat actors, notably EvilCorp, FIN11, TA505, and the Clop ransomware group. It’s creators and maintainers are unknown.

Since October of 2023, Checkpoint says they noticed large waves of attacks targeting systems worldwide. This latest campaign, which appears to be opportunistic and financially motivated, is using Discord to drop malicious archive files onto victim systems, after emailing the links to the target.

The archives contain a digitally signed executable (OleView[.]exe) and a malicious DLL file (aclui[.]dll) that is side-loaded when the victim runs the executable, thus activating Raspberry Robin in the system.

After Raspberry Robin is executed on the system, it will elevate it’s privileges using recent 1-day exploits, based on the victims environment. Check Point highlights that the new Raspberry Robin campaign leverages exploits for CVE-2023-36802, and CVE-2023-29360, two local privilege escalation vulnerabilities in Microsoft Streaming Service Proxy and the Windows TPM Device Driver. In both cases, the researchers say, Raspberry Robin started exploiting the flaws using a then-unknown exploit less than a month after the security issues were disclosed publicly, on June 13 and September 12, 2023.

Checkpoint believes the developers of Raspberry Robin are acquiring the 1-day exploits from external sources almost immediately after their disclosure. Zero-days with no disclosure or patching may be too sophisticated for the group to discover, or too expensive to purchase even for the larger cybercrime operation.

Aside from the 1-day exploits, Raspberry Robin has also added several new tools for defense evasion: