A recently identified iteration of the Raspberry Robin worm is capitalizing on two newly discovered one-day vulnerabilities to initiate discreet attacks. Check Point’s report indicates that these attacks have been ongoing since October 2023, with a global focus on various organizations.
Notably, Raspberry Robin has recently garnered attention for extending its assault to include the financial and insurance sectors in Europe.
Introduction to the Raspberry Robin Worm
The assault sequence utilizes the Discord platform to distribute harmful files labeled ‘File.Chapter-1.rar’ onto the targeted systems. Within these archives, there exists a digitally signed executable (OleView.exe) and a malicious DLL file (aclui.dll), which becomes side-loaded when the victim executes the executable, consequently activating the Raspberry Robin within the system.
Upon the initial execution on a computer, the worm automatically exploits vulnerabilities in Microsoft Streaming Service Proxy (CVE-2023-36802) and the Windows TPM Device Driver (CVE-2023-29360) to initiate privilege escalation attacks. Notably, researchers discovered that the operators responsible for the malware swiftly obtained these exploits from an exploit seller or its authors soon after their public disclosure.
New evasion mechanisms added
Apart from utilizing new exploits, the updated variant incorporates additional evasion strategies to complicate analysis. These tactics involve terminating specific processes associated with UAC in Windows and executing routines that employ APIs like ‘AbortSystemShutdownW’ and ‘ShutdownBlockReasonCreate’ to obstruct the system shutdown.
Moreover, the variant has modified its communication method and lateral movement to elude detection.
Conclusion
Experts anticipate that the malicious actors responsible for the malware will persist in employing novel exploits to broaden their range of attacks. As the malware continuously enhances its post-exploitation capabilities, discreetly avoiding detection, organizations are strongly recommended to stay informed and vigilant regarding Indicators of Compromise (IOCs) linked to the malware. This includes details like the used hashes, Tor network domains, and Discord URLs.