Raspberry Robin恶意软件升级，使用Discord传播和新的漏洞

The operators of Raspberry Robin are now using two new one-day exploits to achieve local privilege escalation, even as the malware continues to be refined and improved to make it stealthier than before.

Raspberry Robin的操作者现在正在使用两个新的一日漏洞来实现本地特权升级，即使恶意软件仍在不断改进和改进以使其比以前更隐蔽。

This means that "Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time," Check Point said in a report this week.

这意味着"Raspberry Robin能够在很短的时间内访问到一个漏洞销售商，或者是作者自己开发漏洞，" Check Point在本周的一份报告中说。

Raspberry Robin (aka QNAP worm), first documented in 2021, is an evasive malware family that's known to act as one of the top initial access facilitators for other malicious payloads, including ransomware.

Raspberry Robin（又名QNAP worm），于2021年首次被记录下来，是一种伪装的恶意软件家族，被认为是其他恶意有效负载（包括勒索软件）的顶级初始访问便利设施之一。

Attributed to a threat actor named Storm-0856 (previously DEV-0856), it's propagated via several entry vectors, including infected USB drives, with Microsoft describing it as part of a "complex and interconnected malware ecosystem" with ties to other e-crime groups like Evil Corp, Silence, and TA505.

归因于一个名为Storm-0856（之前是DEV-0856）的威胁行为者，其通过多个入口向量传播，包括感染的USB驱动器，微软将其描述为与其他电子犯罪团伙（如Evil Corp、Silence和TA505）有联系的"复杂而相互关联的恶意软件生态系统"的一部分。

Raspberry Robin's use of one-day exploits such as CVE-2020-1054 and CVE-2021-1732 for privilege escalation was previously highlighted by Check Point in April 2023.

Check Point在2023年4月曾经突出了Raspberry Robin使用CVE-2020-1054和CVE-2021-1732等一日漏洞进行特权升级的情况。

The cybersecurity firm, which detected "large waves of attacks" since October 2023, said the threat actors have implemented additional anti-analysis and obfuscation techniques to make it harder to detect and analyze.

这家自2023年10月以来检测到"大规模攻击浪潮"的网络安全公司表示，威胁行为者已经实施了额外的反分析和混淆技术，以使其更难以检测和分析。

"Most importantly, Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed," it noted.

"最重要的是，Raspberry Robin继续在漏洞公开披露之前或仅在短时间内使用不同的漏洞利用。"它指出。

"Those one-day exploits were not publicly disclosed at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a zero-day and was sold on the dark web."

"这些一日漏洞在使用时没有公开披露。其中一个漏洞CVE-2023-36802的利用也作为零日在野外使用，并在暗网上出售。"

A report from Cyfirma late last year revealed that an exploit for CVE-2023-36802 was being advertised on dark web forums in February 2023. This was seven months before Microsoft and CISA released an advisory on active exploitation. It was patched by the Windows maker in September 2023.

Cyfirma去年年底的一份报告揭示了一个利用CVE-2023-36802的漏洞，该漏洞在2023年2月在暗网论坛上进行了广告宣传。这是在Microsoft和CISA发布有关活动利用的警报之前的七个月。Windows制造商在2023年9月对其进行了修补。

Raspberry Robin is said to have started utilizing an exploit for the flaw sometime in October 2023, the same month a public exploit code was made available, as well as for CVE-2023-29360 in August. The latter was publicly disclosed in June 2023, but an exploit for the bug did not appear until September 2023.

据说Raspberry Robin在2023年10月某个时候开始利用某个漏洞的漏洞，与同月公开提供了公开的漏洞代码，以及在8月为CVE-2023-29360提供了漏洞。后者在2023年6月公开披露，但直到2023年9月才出现了对该漏洞的利用。

It's assessed that the threat actors purchase these exploits rather than developing them in-house owing to the fact that they are used as an external 64-bit executable and are not as heavily obfuscated as the malware's core module.

"Raspberry Robin's ability to quickly incorporate newly disclosed exploits into its arsenal further demonstrates a significant threat level, exploiting vulnerabilities before many organizations have applied patches," the company said.

据评估，威胁行为者购买这些漏洞而不是自行开发，原因是它们被用作外部64位可执行文件，并且没有像恶意软件的核心模块那样被严密混淆。"Raspberry Robin之能够迅速将新披露的漏洞纳入其武器库进一步证明了其重大威胁水平，在许多组织应用补丁之前利用了漏洞，"该公司说。

One of the other significant changes concerns the initial access pathway itself, leveraging rogue RAR archive files containing Raspberry Robin samples that are hosted on Discord.

另一个重要变化涉及初始访问路径本身，利用在Discord上托管的包含Raspberry Robin样本的恶意RAR存档文件。

Also modified in the newer variants is the lateral movement logic, which now uses PAExec.exe instead of PsExec.exe, and the command-and-control (C2) communication method by randomly choosing a V3 onion address from a list of 60 hardcoded onion addresses.

新版本中修改的还有横向移动逻辑，现在使用PAExec.exe而不是PsExec.exe，以及通过从60个硬编码洋葱地址列表中随机选择一个V3洋葱地址来选择命令和控制（C2）通信方法。

"It starts with trying to contact legitimate and well-known Tor domains and checking if it gets any response," Check Point explained. "If there is no response, Raspberry Robin doesn't try to communicate with the real C2 servers."

"它开始尝试联系合法而知名的Tor域并检查是否收到任何响应，"Check Point解释道。"如果没有响应，Raspberry Robin则不尝试与真实的C2服务器通信。"

原文始发于微信公众号（知机安全）：Raspberry Robin恶意软件升级，使用Discord传播和新的漏洞