Raspberry Robin Worm Rides on New One-Day Flaws to Launch Stealthy Attacks | Cyware Hacker News
A new version of the Raspberry Robin worm has been found exploiting two new one-day vulnerabilities to launch stealthy attacks. According to a report from Check Point, the attacks have been since October 2023, and have targeted organizations worldwide.
Recently, Raspberry Robin made headlines for expanding its attacks to the financial and insurance sectors in Europe.
Attack flow
The attack chain leverages the Discord platform to drop malicious files titled ‘File.Chapter-1.rar’ onto the victims’ systems.
- The archives contain a digitally signed executable (OleView.exe) and a malicious DLL file (aclui.dll) that is side-loaded when the victim runs the executable, thus activating Raspberry Robin in the system.
- When the worm is first run on a computer, it automatically leverages exploits for the vulnerabilities in Microsoft Streaming Service Proxy (CVE-2023-36802) and the Windows TPM Device Driver (CVE-2023-29360) to launch privilege escalation attacks.
- Researchers found that the operators behind the malware had acquired the exploits from an exploit seller or its authors almost immediately after their disclosure.
New evasion mechanisms added
- In addition to leveraging new exploits, the new variant boasts other evasion tactics to make analysis challenging.
- These include terminating specific processes related to UAC in Windows and implementing routines that use APIs, such as ‘AbortSystemShutdownW’ and ‘ShutdownBlockReasonCreate’, to prevent the system from shutting down.
- Furthermore, the variant has changed its communication method and lateral movement to avoid being caught.
Conclusion
Researchers assume that the threat actors behind the malware will keep using new exploits to expand their attacks. As the malware continues to evolve its post-exploitation capabilities while remaining under the radar, organizations are advised to stay updated about IOCs associated with the malware such as hashes used, domains in the Tor network, and Discord URLs.