Hacking teams are utilizing a brand new model of the Raspberry Robin framework to assault Spanish and Portuguese-language based mostly monetary establishments — and it is complexity quotient has been considerably upgraded, researchers mentioned this week.
Based on a Jan. 2 report from cybersecurity agency Safety Joes, the group has used the identical QNAP server for a number of rounds of assaults — however sufferer knowledge is now not in plaintext however slightly RC4-encrypted, and the downloader mechanism has been up to date with new anti-analysis capabilities, together with extra obfuscation layers.
Raspberry Robin is a backdooring worm that infects PCs by way of Trojanized USB gadgets earlier than spreading to different gadgets on a goal’s community, appearing as a loader for different malware. Since being noticed nesting in company networks in Could, it has gone on to quickly infect hundreds and hundreds of endpoints — and the species is quickly evolving.
The menace actor behind the worm is considered a part of bigger ecosystem facilitating preransomware exercise and is taken into account one of many largest malware distribution platforms presently energetic. Researchers lately linked it to Evil Corp, as an example, due to its important similarities to the Dridex malware loader.
“What is exclusive in regards to the malware is that it’s closely obfuscated and extremely complicated to statically disassemble,” the analysis group wrote.
Upgraded Malware Model Takes Flight
Within the newest iteration, the malware safety mechanism has been upgraded to deploy at the very least 5 layers of safety earlier than the malicious code is deployed, together with a first-stage packer to obscure the code of the following levels of the assault adopted by a shellcode loader.
The following three layers embrace a second-stage loader DLL, intermediate shellcode, and at last the shellcode downloader. This complicated framework makes the worm harder to detect and concurrently eases lateral motion via networks, the researchers defined.
The analysis additionally indicated Raspberry Robin operators have started to gather extra knowledge about their victims than earlier reported.
“Not solely did we uncover a model of the malware that’s a number of instances extra complicated, however we additionally discovered that the C2 beaconing, which used to have a URL with a plain-text username and hostname, now has a strong RC4 encrypted payload,” wrote senior menace researcher Felipe Duarte, who led the investigation.
In a single case, the analysis group documented how a 7-Zip file was downloaded from the sufferer’s browser, doubtlessly from a malicious hyperlink or attachment that tricked the consumer into appearing.
“Upon inspection, the archive was discovered to be an MSI installer that, when executed, drops a number of information onto the sufferer’s machine,” the report famous.
In a second case, the malicious payload was hosted on a Discord server, which was utilized by the menace actors to ship malware onto the sufferer’s machine, to keep away from detection and bypass safety controls.
“Within the circumstances we investigated, menace actors determined to implement further validations on their backend to have a greater segmentation and visibility of their targets,” the report famous. “This permits them to filter bots working in sandboxes, analyze environments and reply to every other circumstance that might intervene a phase of the botnet operation, to repair it in real-time.”
Raspberry Robin Makes the Rounds
The menace is flighty, following a sample of showing, disappearing, then reappearing with considerably upgraded capabilities.
Safety agency Pink Canary first analyzed and named Raspberry Robin in Could, noting that it was infecting targets by way of malicious USB drives and worming to different endpoints — however then remaining dormant.
Subsequent stories then discovered Raspberry Robin worm to have added 10 layers of obfuscation and pretend payloads, in an effort to launch assaults towards telecommunications firms and governments throughout Australia, Europe, and Latin America, in line with a December analysis report from Pattern Micro.
Quickly after, it got here to the eye of different researchers, together with IBM Safety and the Microsoft Safety Risk Intelligence Heart (MSTIC); the latter is monitoring the operators of the Raspberry Robin worm beneath the moniker DEV-0856.