Security News > 2024 > February > Raspberry Robin devs are buying exploits for faster attacks

Researchers suspect the criminals behind the Raspberry Robin malware are now buying exploits for speedier cyberattacks.

An exploit developer is thought by infosec pros to be either on the Raspberry Robin payroll or a close contact that sells them to the group - most likely the latter.

In 2022, Raspberry Robin added exploits for vulnerabilities that were up to 12 months old, such as CVE-2021-1732, but this has quickly switched to those less than a month old, like CVE-2023-36802.

"Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed," said CPR. "Those one-day exploits were not publicly disclosed at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a zero-day and was sold on the dark web."

"After looking at samples of Raspberry Robin prior to October, we found that it also used an exploit for CVE-2023-29360," said CPR. "This vulnerability was publicly disclosed in June and was used by Raspberry Robin in August. Even though this is a pretty easy vulnerability to exploit, the fact that the exploit writer had a working sample before there was a known exploit in GitHub is impressive as is how quickly Raspberry Robin used it."

"If the Raspberry Robin authors were the developers of the exploits, then they would have probably used the exploits in the main component itself," said CPR. "In addition, the exploits would be packed in the same way and have the same format as the different stages of the main component."

News URL

https://go.theregister.com/feed/www.theregister.com/2024/02/08/raspberry_robin_bought_exploits/