HQ/EMEAFind out how we can help your business
Raspberry Robin worm, one of the most nefarious entities in the cybercrime world, has resurfaced with a new malicious tactic.
Based on reports, this operation exploits two new one-day vulnerabilities to unleash a series of stealthy cyberattacks. These attacks have allegedly been silently breaching organisations worldwide since October 2023, leaving a trail of chaos in their wake.
Raspberry Robin worm set its sights on European companies.
According to investigations, the Raspberry Robin worm operation has upgraded the sophistication of its campaign to execute their new operations against European financial and insurance sectors.
The modus operandi of this insidious worm follows a seamless attack flow. The attackers leverage the popular Discord platform as a vector for their attacks, allowing them to drop their malware. In addition, the actors include deceptive titles on the files that house the malware.
One example is a malicious file named ‘File.Chapter-1.rar’, which the operators deployed onto one of their unsuspecting victims’ systems. These archives include a digitally signed executable (OleView.exe) and a malicious DLL file (aclui.dll) that paves the way for Raspberry Robin’s infiltration.
Once inside a system, Raspberry Robin exploits vulnerabilities in the Microsoft Streaming Service Proxy (CVE-2023-36802) and the Windows TPM Device Driver (CVE-2023-29360) to launch privilege escalation attacks. The new campaign became an alarming threat since it allowed the attackers to execute the swift acquisition of these exploits.
Furthermore, the latest variant of this cunning worm comes with various evasion tactics designed to avoid threat analysis. Researchers confirmed that the worm could terminate specific processes related to User Account Control (UAC) in Windows to implement intricate routines using APIs like ‘AbortSystemShutdownW’ and ‘ShutdownBlockReasonCreate’ to avoid off-system shutdowns.
The threat posed by Raspberry Robin has been constantly evolving for the past few years. Organisations must remain vigilant with these attackers’ post-exploitation capabilities and ever-changing tactics to evade detection.
Lastly, researchers warn that the malware’s operators will likely continue their quest for new exploits to upgrade their agenda. Therefore, organisations should use indicators of compromise (IOCs) associated with Raspberry Robin, including hashes, Tor network domains, and Discord URLs, to stay one step ahead.
