A brand new investigation has unearthed almost 200 distinctive command-and-control (C2) domains related to a malware referred to as Raspberry Robin.
“Raspberry Robin (also called Roshtyak or Storm-0856) is a posh and evolving risk actor that gives preliminary entry dealer (IAB) companies to quite a few legal teams, a lot of which have connections to Russia,” Silent Push said in a report shared with The Hacker Information.
Since its emergence in 2019, the malware has become a conduit for varied malicious strains like SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot. It is also known as a QNAP worm owing to using compromised QNAP gadgets to retrieve the payload.
Over time, Raspberry Robin assault chains have added a brand new distribution methodology that includes downloading it through archives and Home windows Script Recordsdata despatched as attachments utilizing the messaging service Discord, to not point out acquiring one-day exploits to attain native privilege escalation earlier than they have been publicly disclosed.
There may be additionally some evidence to counsel that the malware is obtainable to different actors as a pay-per-install (PPI) botnet to ship next-stage malware.
Moreover, Raspberry Robin infections have integrated a USB-based propagation mechanism that includes utilizing a compromised USB drive containing a Home windows shortcut (LNK) file disguised as a folder to activate the deployment of the malware.
The U.S. authorities has since revealed that the Russian nation-state risk actor tracked as Cadet Blizzard could have used Raspberry Robin as an preliminary entry facilitator.
Silent Push, in its newest evaluation undertaken together with Staff Cymru, discovered one IP deal with that was getting used as an information relay to attach all compromised QNAP gadgets, finally resulting in the invention of over 180 distinctive C2 domains.
“The singular IP deal with was related by Tor relays, which is probably going how community operators issued new instructions and interacted with compromised gadgets,” the corporate mentioned. “The IP used for this relay was based mostly in an E.U. nation.”
A deeper investigation of the infrastructure has revealed that the Raspberry Robin C2 domains are quick – e.g., q2[.]rs, m0[.]wf, h0[.]wf, and 2i[.]pm – and that they’re quickly rotated between compromised gadgets and thru IPs utilizing a technique referred to as fast flux in an effort to make it difficult to take them down.
A few of the prime Raspberry Robin top-level domains (TLDs) are .wf, .pm, .re, .nz, .eu, .gy, .tw, and .cx, with domains registered utilizing area of interest registrars like Sarek Oy, 1API GmbH, NETIM, Epag[.]de, CentralNic Ltd, and Open SRS. A majority of the recognized C2 domains have title servers on a Bulgarian firm named ClouDNS.
“Raspberry Robin’s use by Russian authorities risk actors aligns with its historical past of working with numerous different severe risk actors, a lot of whom have connections to Russia,” the corporate mentioned. “These embrace LockBit, Dridex, SocGholish, DEV-0206, Evil Corp (DEV-0243), Fauppod, FIN11, Clop Gang, and Lace Tempest (TA505).”
Source link