According to recent research on the Raspberry Robin attack infrastructure, other threat actors may be able to re-implement the infections for their own malicious operations.
Also known as the “QNAP worm”, and linked to the DEV-0856 threat actor, Raspberry Robin is a piece of malware that has increasingly been identified as being used in attacks on financial, government, insurance and telecom entities.
It is considered a pay-per-install (PPI) botnet because it has been used by multiple threat actors to download a wide variety of payloads, such as SocGholish, Bumblebee, TrueBot, IcedID, and LockBit Ransomware, explains Hacker news.
Raspberry Robin, in particular, uses infected USB drives as a distribution vector and leverages compromised QNAP Network Attached Storage (NAS) devices as first level command and control (C2).
Cyber security researchers at SEKOIA have discovered at least eight virtual private servers (VPS) hosted on Linode that are part of a second C2 layer and likely act as forward proxies to a third, unknown layer.
the attack chain
What follows is a breakdown of the attack chain: The main obfuscated Raspberry Robin loader is downloaded from the QNAP instance when a user inserts the USB drive and runs a Windows shortcut (.LNK) file.
Because the msiexec utility sends HTTP requests to retrieve the malware, these requests can be faked to download another rogue MSI payload using DNS hijacking attacks or by repurchasing previously known domains after they expire.
This is one of the special features of Raspberry Robin: the domain resolutions of its infrastructure are constantly changing, from one compromised QNAP to another. Dozens of new decisions are made and a new jailbroken QNAP pops up every day, limiting the risk of tapping or sinking it from an operator’s perspective.
In the early stages of the campaign, at the end of July 2021, a domain name was registered and operated as C2 between 22 September 2021 and 30 November 2022, when it was suspended by the UK Registry. This domain was tiua[.]UK.
Currently, it is unclear where the initial wave of Raspberry Robin USB infections came from, but it is likely that the worm was spread through other malware.
This idea is supported by the presence of a .NET spreader module believed to be responsible for spreading Raspberry Robin .LNK files from infected hosts to USB drives. In the same method, these LNK files are used to hack into other computers.
This comes days after Google’s Mandiant team said the Russian-linked Turla group used expired domains linked to ANDROMEDA malware to send a reconnaissance tool and backdoor to targets in Ukraine that were already infected with ANDROMEDA.
The full analysis published by the SEKOIA research team is available Here.
If you liked this article, follow us LinkedIn, Twitter, Facebook, YouTubeand Instagram For more news and topics on cyber security.
