Tracking Updates to Raspberry Robin
Summary:
Researchers at Zscaler have uncovered several key updates made to Raspberry Robin, aka Roshtyak, a malicious downloader that has been around since 2021. The latest version now employs improved obfuscation methods, including the addition of multiple initialization loops to functions with a flattened control flow, making brute-force decryption less feasible. The developers of Raspberry Robin have also changed the network encryption algorithm from AES to Chacha-20. Researchers note that “while the 32-byte encryption key is hardcoded in the binary, the counter and nonce values are randomly generated per request.” By randomizing the counter and nonce value for each request, this ensures that each encryption is unique, making it difficult for defenders to decrypt or analyze the traffic. Other key updates include the use of a new local privilege escalation exploit (CVE-2024-38196) that can be used to gain elevated privileges on compromised systems. Raspberry Robin now also embeds invalid Tor domains, further complicating the process of extracting indicators of compromise.
Security Officer Comments:
Raspberry Robin is a prominent malware loader that has primarily leveraged malicious USB devices for initial infection. However, throughout the years, the infection vector has incorporated other methods, including the use of malicious advertisements and archives for propagation. The latest updates, which include enhanced obfuscation techniques and encryption methods, highlight continued efforts made by the malware authors to make detection more challenging and hinder analysis by security researchers. Given that Raspberry Robin is capable of delivering additional payloads while maintaining a low footprint, this makes it a valuable tool that is increasingly leveraged by actors in various malware campaigns, including ransomware attacks.
Suggested Corrections:
Organizations should ensure vulnerabilities like CVE-2024-38196 are patched in a timely manner to prevent potential exploitation attempts, including campaigns involving the deployment of Raspberry Robin. Given Raspberry Robin’s worm-like ability to spread via USB devices, organizations should also have strict policies in place for the use of removable devices. A common tactic employed by organizations to deter USB infections is by modifying the registry settings or implementing Group policies on systems to prevent drives from using autorun and executing code upon insertion.
Link(s):
https://www.zscaler.com/blogs/security-research/tracking-updates-raspberry-robin
Researchers at Zscaler have uncovered several key updates made to Raspberry Robin, aka Roshtyak, a malicious downloader that has been around since 2021. The latest version now employs improved obfuscation methods, including the addition of multiple initialization loops to functions with a flattened control flow, making brute-force decryption less feasible. The developers of Raspberry Robin have also changed the network encryption algorithm from AES to Chacha-20. Researchers note that “while the 32-byte encryption key is hardcoded in the binary, the counter and nonce values are randomly generated per request.” By randomizing the counter and nonce value for each request, this ensures that each encryption is unique, making it difficult for defenders to decrypt or analyze the traffic. Other key updates include the use of a new local privilege escalation exploit (CVE-2024-38196) that can be used to gain elevated privileges on compromised systems. Raspberry Robin now also embeds invalid Tor domains, further complicating the process of extracting indicators of compromise.
Security Officer Comments:
Raspberry Robin is a prominent malware loader that has primarily leveraged malicious USB devices for initial infection. However, throughout the years, the infection vector has incorporated other methods, including the use of malicious advertisements and archives for propagation. The latest updates, which include enhanced obfuscation techniques and encryption methods, highlight continued efforts made by the malware authors to make detection more challenging and hinder analysis by security researchers. Given that Raspberry Robin is capable of delivering additional payloads while maintaining a low footprint, this makes it a valuable tool that is increasingly leveraged by actors in various malware campaigns, including ransomware attacks.
Suggested Corrections:
Organizations should ensure vulnerabilities like CVE-2024-38196 are patched in a timely manner to prevent potential exploitation attempts, including campaigns involving the deployment of Raspberry Robin. Given Raspberry Robin’s worm-like ability to spread via USB devices, organizations should also have strict policies in place for the use of removable devices. A common tactic employed by organizations to deter USB infections is by modifying the registry settings or implementing Group policies on systems to prevent drives from using autorun and executing code upon insertion.
Link(s):
https://www.zscaler.com/blogs/security-research/tracking-updates-raspberry-robin