There has been an upgrade in the Evil Corp-linked malware family, making it more obfuscated and "many times more complicated" as the group behind it experiments with the worm's potential for widespread infection.
This week, researchers revealed that hackers are employing a substantially more advanced version of the Raspberry Robin framework in their attacks on financial institutions in Spanish and Portuguese-speaking countries.
The same QNAP server has been used in multiple attacks, according to a report published by security firm Security Joes on January 2. However, the report claims that the group has begun encrypting victim data with RC4 and has added new anti-analysis capabilities, such as additional obfuscation layers, to the downloader mechanism.
Raspberry Robin is a backdooring worm that spreads over a target’s network by infecting PCs using Trojanized USB devices and then functioning as a loader for other malware. It has rapidly infected thousands upon thousands of endpoints since it was first discovered nesting in business networks in May, and the species is fast changing.
One of the major malware distribution networks, the threat actor behind the worm is likely connected to a wider ecosystem that supports preransomware operations. Due to its striking similarities to the Dridex malware loader, researchers have recently connected it to Evil Corp. The researchers noted that the malware is “unique” due to its “heavy obfuscation” and “great complexity to statically deconstruct.”
New, More Dangerous Malware Released
The malware protection mechanism has been improved in the newest version to deploy at least five layers of protection prior to the deployment of harmful code. These layers include a first-stage packer to hide the code of the subsequent stages of the attack and a shellcode loader.
A second-stage loader DLL, intermediary shellcode, and the shellcode downloader make up the subsequent three layers. According to the study’s authors, the worm’s intricate architecture both makes it harder to detect and facilitates its lateral movement across networks. The investigation also found that the hackers behind Raspberry Robin are gathering more information about their victims than was previously known.
Senior threat researcher Felipe Duarte led the investigation, and he wrote that “not only did we discover a version of the malware that is several times more complex,” but that “we also found that the C2 beaconing, which used to have a URL with a plain-text username and hostname,” now has a robust RC4 encrypted payload.
The study team observed the victim’s browser while it downloaded a 7-Zip file, presumably via a malicious link or attachment designed to fool the user into taking action.
The archive was determined to be an MSI installation, which “loads multiple files onto the victim’s PC when executed,” the report said. In another instance, threat actors delivered malware to the victim’s PC using a Discord server to evade detection and get around security measures.
It was noted in the report that, “in the cases we investigated, threat actors decided to implement additional validations on their backend to have a better segmentation and visibility of their targets.” This allows them to do things like filter bots running in sandboxes, analyze environments, and respond to anything that might interfere with a portion of the botnet operation, fixing it in real time.
Raspberry Robin Makes the Rounds
The menace is erratic, making appearances, disappearing, and then making return appearances with greatly enhanced capabilities.
In May, Red Canary, a security firm, identified the threat as Raspberry Robin and gave it a name, saying that it spread to new computers via infected USB devices before going dormant.
In order to launch assaults against telecommunications businesses and governments across Australia, Europe, and Latin America, the Raspberry Robin virus was later found to have added 10 levels of obfuscation and phony payloads, according to a study published by Trend Micro in December.
IBM Security and the Microsoft Security Threat Intelligence Center (MSTIC) both picked up on it shortly thereafter; MSTIC is currently tracking the Raspberry Robin worm’s operators using the alias DEV-0856.