Keypoints
- Raspberry Robin adopted two new 1-day kernel LPE exploits (CVE-2023-36802 and CVE-2023-29360) shortly after or before public disclosure, indicating access to exploit sellers or rapid acquisition.
- Delivery shifted from USB LNKs to Discord-hosted RAR archives containing OleView.exe and a malicious aclui.dll used for DLL side-loading.
- The malware injects kernel exploit loaders into cleanmgr.exe (previously winver.exe) using KernelCallbackTable and loads external 64-bit exploit PEs encrypted with RC4 keyed blobs.
- New anti-analysis and evasion: API hooking checks, NtTraceEvent patching to bypass ETW, termination of runonce.exe and RunLegacyCPLElevated.exe, shutdown-abort threads, remote-desktop and UWF filter detection.
- Lateral movement changed from PsExec to PAExec (downloaded from poweradmin[.]com) to run self-extracting payloads on remote systems.
- Command-and-control uses Tor V3 onion addresses; data is RC4-encrypted then base64-encoded and sent via an injected Tor module (rundll32.exe / regsvr32.exe).
- Check Point concludes Raspberry Robin is increasingly stealthy, modular, and likely to continue rapidly adopting new exploits for privilege escalation.
MITRE Techniques
- [T1068] Exploitation for Privilege Escalation – Raspberry Robin used external kernel LPE exploits to gain SYSTEM privileges (‘…Raspberry Robin starts to use an exploit for CVE-2023-36802.’ ).
- [T1574.001] DLL Search Order Hijacking – Side-loading of a malicious signed DLL alongside OleView.exe to execute payload code (‘…OleView.exe is used to load the malicious DLL…’).
- [T1055] Process Injection – Malware injects loaders and exploits into legitimate processes (cleanmgr.exe) and injects a TOR module into rundll32.exe or regsvr32.exe (‘…injects the kernel exploits into cleanmgr.exe…’ ; ‘…TOR module being injected into another process as rundll32.exe or regsvr32.exe.’).
- [T1090.003] Proxy: Tor – C2 communication is performed over Tor using hardcoded V3 onion addresses (‘…communication between Raspberry Robin and the C2 is performed through a TOR module…’).
- [T1562.001] Impair Defenses: Disable or Modify Tools – The malware patches/overrides NtTraceEvent to bypass ETW logging (‘…to bypass the ETW Raspberry Robin patches the NtTraceEvent API not to do anything when it is being called.’).
- [T1547.001] Registry Run Keys / Startup Folder – Persistence via RunOnce registry key and termination of runonce.exe to hide activity (‘…persistence involves being written to the RunOnce registry key. Therefore… the malware terminates the runonce.exe process.’).
- [T1021] Remote Services – Lateral movement using remote execution tools (PAExec downloaded from official site) to execute payloads on remote hosts (‘…instead of using PsExec.exe, it uses PAExec.exe which it downloads straight from the official website https://www.poweradmin[.]com/paexec.exe.’).
Indicators of Compromise
- [SHA256] Raspberry Robin sample hashes – 7e8315426befbcf3a2fca9a3ad4d0f07…, 07e5004a0a3a9129560237ab22d73f44…, and 15 more hashes.
- [Onion domains] Tor C2 addresses – juhanurmihxlp77nkq76byazcldy2hlmovfu2epvl5ankdibsot4csyd.onion, protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion, and dozens of other V3 addresses.
- [URLs] Discord delivery archives – https://cdn.discordapp[.]com/attachments/…/Chapter-File1.rar, https://cdn.discordapp[.]com/attachments/…/File.Part_1.rar (sample delivery links used to distribute RARs).
- [File names / binaries] Side-loading and payload files – OleView.exe, aclui.dll (malicious signed DLL), File.Chapter-1.rar / Part.File-1.rar.
- [Infrastructure] PAExec download URL – https://www.poweradmin[.]com/paexec.exe (used for lateral movement), and multiple onion:port entries in the C2 infrastructure list.
Raspberry Robin campaigns observed by Check Point used Discord-hosted RAR archives containing OleView.exe plus a signed-but-invalid aclui.dll; OleView is side-loaded to load a packed Raspberry Robin DLL which unpacks multiple in-memory stages. The ransomware-style stages remain heavily obfuscated; kernel privilege-escalation exploits are stored encrypted (RC4) and loaded as external 64-bit PE files injected into cleanmgr.exe via KernelCallbackTable. The exploit loader determines offsets (Token, PreviousMode) by checking OS build (OSBuildNumber from the PEB), leaks kernel addresses using NtQuerySystemInformation and SYSTEM_HANDLE structures, and creates a UUID-based named pipe before executing build-specific flows targeting CVE-2023-36802 and CVE-2023-29360.
For stealth and persistence, the malware checks for API hooks (GetUserDefaultLangID, GetModuleHandleW), terminates runonce.exe and RunLegacyCPLElevated.exe to hide reboots and UAC activity, patches NtTraceEvent to suppress ETW events, and implements shutdown-evasion threads (AbortSystemShutdownW loop and ShutdownBlockReasonCreate window). It also detects remote-desktop environments (SM_REMOTESESSION, GlassSessionId, tsclient files) and exits if a Unified Write Filter is present.
Lateral movement shifted from PsExec to PAExec (downloaded from the PowerAdmin site) to remotely execute a self-extracting payload with the same config template, while C2 uses a Tor-based channel: Raspberry Robin attempts connections to known Tor domains, chooses from ~60 hardcoded V3 onion addresses, sends RC4-encrypted, base64-encoded metadata (process tree, C: file names), and runs a Tor module injected into rundll32.exe or regsvr32.exe for communications.
Read more: https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/