Security News > 2024 > February > Raspberry Robin devs are buying exploits for faster attacks
Researchers suspect the criminals behind the Raspberry Robin malware are now buying exploits for speedier cyberattacks.
An exploit developer is thought by infosec pros to be either on the Raspberry Robin payroll or a close contact that sells them to the group - most likely the latter.
In 2022, Raspberry Robin added exploits for vulnerabilities that were up to 12 months old, such as CVE-2021-1732, but this has quickly switched to those less than a month old, like CVE-2023-36802.
"Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed," said CPR. "Those one-day exploits were not publicly disclosed at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a zero-day and was sold on the dark web."
"After looking at samples of Raspberry Robin prior to October, we found that it also used an exploit for CVE-2023-29360," said CPR. "This vulnerability was publicly disclosed in June and was used by Raspberry Robin in August. Even though this is a pretty easy vulnerability to exploit, the fact that the exploit writer had a working sample before there was a known exploit in GitHub is impressive as is how quickly Raspberry Robin used it."
"If the Raspberry Robin authors were the developers of the exploits, then they would have probably used the exploits in the main component itself," said CPR. "In addition, the exploits would be packed in the same way and have the same format as the different stages of the main component."
News URL
https://go.theregister.com/feed/www.theregister.com/2024/02/08/raspberry_robin_bought_exploits/
Related news
- Threat Actors Exploit ClickFix to Deploy NetSupport RAT in Latest Cyber Attacks (source)
- SonicWall firewall bug leveraged in attacks after PoC exploit release (source)
- New “whoAMI” Attack Exploits AWS AMI Name Confusion for Remote Code Execution (source)
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)
- Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-12 | CVE-2023-36802 | Use After Free vulnerability in Microsoft products Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability | 0.0 |
| 2023-06-14 | CVE-2023-29360 | Unspecified vulnerability in Microsoft products Microsoft Streaming Service Elevation of Privilege Vulnerability | 8.4 |
| 2021-02-25 | CVE-2021-1732 | Out-of-bounds Write vulnerability in Microsoft products Windows Win32k Elevation of Privilege Vulnerability | 0.0 |