Beware of Stealthy Raspberry Robin That Delivered as a Windows Component

Raspberry Robin is a malicious worm that spreads through USB drives, and it’s been actively used by the threat actors to download and install hidden malware on Windows systems. 

Besides this, the threat actors exploit it for various reasons like initial access, data theft, espionage, and deploying other malware.

EHA

Cybersecurity researchers at Check Point recently discovered that threat actors actively use the stealthy Raspberry Robin that was delivered as a Windows component.

Document
Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

Stealthy Raspberry Robin

Raspberry Robin was discovered by Red Canary in 2021, and it stands out for its active distribution and evasion tactics. This worm is associated with crime groups like EvilCorp and TA505 and serves as an initial access broker for deploying additional malware. 

Despite ongoing attacks since October, Raspberry Robin continuously evolves, incorporating new features and tricks for increased complexity. 

Notably, it exploits vulnerabilities, including 0-days like CVE-2023-36802, that are sold on the Dark Web, making it challenging to analyze.

Raspberry Robin previously used LNKs and network shares to spread. Now, it hides in RAR files named File.Chapter-1.rar, downloaded from Discord. OleView.exe loads the malicious DLL. 

Attackers like OleView.exe for side-loading because it needs a DLL to run and often isn’t on the disk alone. However, certain security solutions trust Microsoft-signed DLLs.

Raspberry Robin attack flow (Source - Check Point)
Raspberry Robin attack flow (Source – Check Point)

Raspberry Robin escalates privileges through encrypted kernel LPE exploits by targeting specific Windows versions. New samples inject exploits into cleanmgr.exe using KernelCallbackTable injection. 

A unique loader in memory loads an external PE with the exploit, now targeting CVE-2023-36802, a Type Confusion vulnerability in Microsoft Streaming Service Proxy. 

This allows local attackers to escalate to SYSTEM privileges. The CVE disclosed on September 12 that it had been exploited in the wild before becoming a 0-day, with no information about the exploiting group.

The exploit targets Windows 10 up to build 22621 by adapting offsets based on the Windows version. EPROCESS addresses are obtained through NtQuerySystemInformation API and SYSTEM_HANDLE structures. 

It then creates a random pipe name with UuidCreate and UuidToStringW APIs. The flow diverges for Windows versions below or above 19044. 

Besides this, there’s no evidence of Raspberry Robin using it as a 0-day, only as a 1-day, prompting pre-disclosure analysis.

Before October, Raspberry Robin utilized the CVE-2023-29360 exploit in August, which was disclosed in June. The exploit’s prompt use showcases the writer’s efficiency.

However, some similarities exist with the CVE-2023-36802 exploit in loader and string obfuscation. Both vulnerabilities target mskssrv.sys, indicating ongoing driver exploration.

Raspberry Robin’s trend of faster exploit utilization aims to exploit infrequent Windows updates, which helps maximize vulnerability exposure.

Raspberry Robin actively evades the virtual machines using evolving evasions. This worm is expected to persist by incorporating new tricks, adding unique features, and leveraging a Dark Web-acquired 0-day exploit before public disclosure.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.