Security News > 2024 > February > Raspberry Robin malware evolves with early access to Windows exploits
Recent versions of the Raspberry Robin malware are stealthier and implement one-day exploits that are deployed only on systems that are susceptible to them.
According to a report from Check Point, Raspberry Robin has recently used at least two exploits for 1-day flaws, which indicates that the malware operator either has the capability to develop the code or has sources that provide it.
When Raspberry Robin is first run on a computer, it will automatically attempt to elevate privileges on the device using a variety of 1-day exploits.
Check Point highlights that the new Raspberry Robin campaign leverages exploits for CVE-2023-36802, and CVE-2023-29360, two local privilege escalation vulnerabilities in Microsoft Streaming Service Proxy and the Windows TPM Device Driver.
Check Point found evidence that points to this theory as well, since the exploits used by Raspberry Robin were not embedded into the main 32-bit component, but deployed as external 64-bit executables, and also lack the heavy obfuscation typically seen with this malware.
The researchers believe that Raspberry Robin will keep evolving and add new exploits to its arsenal, seeking code that has not been released publicly.
News URL
Related news
- New Malware Technique Could Exploit Windows UI Framework to Evade EDR Tools (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- SteelFox and Rhadamanthys Malware Use Copyright Scams, Driver Exploits to Target Victims (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Botnet exploits GeoVision zero-day to install Mirai malware (source)
- RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-12 | CVE-2023-36802 | Use After Free vulnerability in Microsoft products Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability | 0.0 |
| 2023-06-14 | CVE-2023-29360 | Unspecified vulnerability in Microsoft products Microsoft Streaming Service Elevation of Privilege Vulnerability | 0.0 |