Raspberry Robin spotted using two new 1-day LPE exploits

Pierluigi Paganini February 11, 2024

Raspberry Robin continues to evolve, it was spotted using two new one-day exploits for vulnerabilities either Discord to host samples. 

Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable USB devices.

The malicious code uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure.

The malware was first spotted in September 2021, the experts observed it targeting organizations in the technology and manufacturing industries. Initial access is typically through infected removable drives, often USB devices.

raspberry robin

The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.

Checkpoint researchers now detailed the evolution of the threat, Raspberry Robin authors integrated two new 1-day LPE (local privilege escalation) zero-day exploits. The experts believe that the operators have access to an exploit seller or the malware authors have developed the exploits.

The researchers noticed that Raspberry Robin is continually updated with new features and supports new evasion capabilities.

The malicious code also changed its communication method and lateral movement to avoid detection.

Raspberry Robin is now spreading by disguising itself as a legitimate Windows component.

“Since last October, we have seen large waves of attacks against our customers worldwide. Since our last report, it is clear that Raspberry Robin hasn’t stopped implementing new features and tricks that make it even harder to analyze.” reads the report published by Checkpoint. “Most importantly, Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed. Those 1-day exploits were not publicly disclosed at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a 0-day and was sold on the Dark Web.”

The vulnerability CVE-2023-36802 is a Type Confusion issue in Microsoft Streaming Service Proxy. A local attacker can exploit the flaw to escalate privileges to SYSTEM (Local Privilege Escalation). The vulnerability is triggered when one of the following IOCTLs.

The vulnerability was disclosed on September 12, but researchers reported it had been exploited in the wild for some time before becoming a zero-day. Researchers from cybersecurity Cyfirma reported that an exploit for CVE-2023-36802 was available for sale on Dark Web forums in February 2023, while Microsoft and CISA warned about its exploitation in September.

Raspberry Robin started using an exploit for CVE-2023-36802 in October 2023. In 2023: Valentina Palmiotti published details of CVE-2023-36802 and its exploitation.

The analysis of the samples before October, revealed that the operators also used an exploit for CVE-2023-29360. The exploit for the vulnerability CVE-2023-29360 was publicly disclosed in June, and Raspberry Robin employed it in August.

“Even though this is a pretty easy vulnerability to exploit, the fact that the exploit writer had a working sample before there was a known exploit in GitHub is impressive as is how quickly Raspberry Robin used it.” continues the report.

The researchers conclude that Raspberry Robin operators have purchased the 1-day exploits from an exploit developer for the following reasons:

  • “The exploits are used as an external 64-bit executable. If the Raspberry Robin authors were the developers of the exploits, then they would have probably used the exploits in the main component itself. In addition, the exploits would be packed in the same way and have the same format as the different stages of the main component.
  • The exploits are only available for 64-bit.
  • The exploits are not heavily obfuscated and don’t have Control flow flattening and variable masking as in Raspberry Robin’s main component.

The report includes Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, malware)

you might also like

leave a comment