Raspberry Robin Worm Hatches a Highly Complex Upgrade

  /     /     /  
Publicated : 23/11/2024   Category : security


Raspberry Robin Worm Hatches a Highly Complex Upgrade


The Evil Corp-linked malware family has undergone an evolution, becoming more obfuscated and several times more complex, as the group behind it tests how far the worm can be spread.



Hacking groups are using a new version of the Raspberry Robin framework to attack Spanish and Portuguese-language based financial institutions — and its complexity quotient has been significantly upgraded, researchers said this week.
According to a Jan. 2
report
from cybersecurity firm Security Joes, the group has used the same QNAP server for several rounds of attacks — but victim data is no longer in plaintext but rather RC4-encrypted, and the downloader mechanism has been updated with new anti-analysis capabilities, including more obfuscation layers.
Raspberry Robin is a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a targets network, acting as a loader for other malware. Since being spotted nesting in corporate networks in May, it has gone on to
rapidly infect thousands and thousands of endpoints
— and the species is rapidly evolving.
The threat actor behind the worm is thought to be part of larger ecosystem facilitating preransomware activity and is considered one of the largest malware distribution platforms currently active. Researchers recently
linked it to Evil Corp
, for instance, thanks to its significant similarities to the Dridex malware loader.
What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble, the research team wrote.
The threat is flighty, following a pattern of appearing, disappearing, then reappearing with significantly upgraded capabilities.
Security firm Red Canary first analyzed and named Raspberry Robin in May, noting that it was infecting targets via malicious USB drives and worming to other endpoints — but then remaining dormant.
Subsequent reports then found Raspberry Robin worm to have added 10 layers of obfuscation and fake payloads, in order to launch attacks against telecommunications companies and governments across Australia, Europe, and Latin America, according to a December
research report
from Trend Micro.
Soon after, it came to the attention of other researchers, including IBM Security and the Microsoft Security Threat Intelligence Center (MSTIC); the latter is monitoring the operators of the Raspberry Robin worm under the moniker
DEV-0856
.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Raspberry Robin Worm Hatches a Highly Complex Upgrade