Threat Research

Tracking Updates to Raspberry Robin

ZScaler
Tracking Updates to Raspberry Robin

Raspberry Robin is a malicious downloader that has evolved with advanced obfuscation techniques, new encryption methods, and a local privilege escalation exploit to evade detection and gain elevated privileges. It also uses invalid TOR onion domains to hinder IOC extraction and remains an active threat since 2021. #RaspberryRobin #CVE-2024-38196 #ChaCha20

Keypoints

  • Raspberry Robin has been active since 2021 and primarily spreads via infected USB devices.
  • Recent updates include improved obfuscation with multiple initialization loops and obfuscated stack pointers and conditional statements.
  • The malware switched its network encryption from AES-CTR to ChaCha-20 using randomized counter and nonce values per request.
  • A new local privilege escalation exploit, CVE-2024-38196, has been integrated to gain elevated permissions on infected systems.
  • Raspberry Robin embeds invalid TOR onion domains with a hardcoded algorithm to dynamically correct decrypted command-and-control (C2) domains, complicating IOC extraction.
  • Samples include expiration dates limiting execution to one week and vary in memory mapping offsets for core and TOR modules.
  • Zscaler’s cloud security platform detects Raspberry Robin under the threat name Win32.Worm.RaspberryRobin with multiple related IOCs identified.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Raspberry Robin uses scripts to decrypt and execute payloads, employing obfuscated conditional statements to hinder analysis. (‘obfuscation of conditional statements’)
  • [T1204] User Execution – The malware spreads via infected USB devices requiring user interaction to execute the payload.
  • [T1046] Network Service Scanning – It uses TOR onion domains as C2 servers, dynamically correcting corrupted domains to maintain communication. (‘dynamically correct decrypted C2 domains’)
  • [T1068] Exploitation for Privilege Escalation – Raspberry Robin employs CVE-2024-38196 to achieve local privilege escalation on targeted systems.
  • [T1027] Obfuscated Files or Information – Employing multiple initialization loops, obfuscated stack pointers, and flattened control flow to complicate reverse engineering and brute-force decryption.
  • [T1071] Application Layer Protocol – The malware communicates using encrypted network traffic over TOR, with encryption switching from AES-CTR to ChaCha-20.

Indicators of Compromise

  • [File Hashes] Raspberry Robin DLL samples – 5b0476043da365be5325260f1f0811ea81c018a8acc9cee4cd46cb7348c06fc6, 05c6f53118d363ee80989ef37cad85ee1c35b0e22d5dcebd8a6d6a396a94cb65
  • [Domains] Hardcoded TOR onion C2 servers – ves2owzq3uqyikb4zoeumzr4uxpi3twmy5qa5fdc4g7btpc43x5ahxyd.onion:9211, df643p7juf4hhz3nqy4lychm2xslc645bozk3egqhsj46k6xqoy4xvad.onion:13201, and numerous others with variable ports

Read more: https://www.zscaler.com/blogs/security-research/tracking-updates-raspberry-robin

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint