Raspberry Robin恶意软件升级,使用Discord传播和新的漏洞

admin 2024年2月12日14:08:13评论24 views字数 4147阅读13分49秒阅读模式

Raspberry Robin恶意软件升级,使用Discord传播和新的漏洞

The operators of Raspberry Robin are now using two new one-day exploits to achieve local privilege escalation, even as the malware continues to be refined and improved to make it stealthier than before.

Raspberry Robin的操作者现在正在使用两个新的一日漏洞来实现本地特权升级,即使恶意软件仍在不断改进和改进以使其比以前更隐蔽。

This means that "Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time," Check Point said in a report this week.

这意味着"Raspberry Robin能够在很短的时间内访问到一个漏洞销售商,或者是作者自己开发漏洞," Check Point在本周的一份报告中说。

Raspberry Robin (aka QNAP worm), first documented in 2021, is an evasive malware family that's known to act as one of the top initial access facilitators for other malicious payloads, including ransomware.

Raspberry Robin(又名QNAP worm),于2021年首次被记录下来,是一种伪装的恶意软件家族,被认为是其他恶意有效负载(包括勒索软件)的顶级初始访问便利设施之一。

Attributed to a threat actor named Storm-0856 (previously DEV-0856), it's propagated via several entry vectors, including infected USB drives, with Microsoft describing it as part of a "complex and interconnected malware ecosystem" with ties to other e-crime groups like Evil Corp, Silence, and TA505.

归因于一个名为Storm-0856(之前是DEV-0856)的威胁行为者,其通过多个入口向量传播,包括感染的USB驱动器,微软将其描述为与其他电子犯罪团伙(如Evil Corp、Silence和TA505)有联系的"复杂而相互关联的恶意软件生态系统"的一部分。

Raspberry Robin's use of one-day exploits such as CVE-2020-1054 and CVE-2021-1732 for privilege escalation was previously highlighted by Check Point in April 2023.

Check Point在2023年4月曾经突出了Raspberry Robin使用CVE-2020-1054和CVE-2021-1732等一日漏洞进行特权升级的情况。

The cybersecurity firm, which detected "large waves of attacks" since October 2023, said the threat actors have implemented additional anti-analysis and obfuscation techniques to make it harder to detect and analyze.


"Most importantly, Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed," it noted.

"最重要的是,Raspberry Robin继续在漏洞公开披露之前或仅在短时间内使用不同的漏洞利用。"它指出。

"Those one-day exploits were not publicly disclosed at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a zero-day and was sold on the dark web."


A report from Cyfirma late last year revealed that an exploit for CVE-2023-36802 was being advertised on dark web forums in February 2023. This was seven months before Microsoft and CISA released an advisory on active exploitation. It was patched by the Windows maker in September 2023.


Raspberry Robin恶意软件升级,使用Discord传播和新的漏洞

Raspberry Robin is said to have started utilizing an exploit for the flaw sometime in October 2023, the same month a public exploit code was made available, as well as for CVE-2023-29360 in August. The latter was publicly disclosed in June 2023, but an exploit for the bug did not appear until September 2023.

据说Raspberry Robin在2023年10月某个时候开始利用某个漏洞的漏洞,与同月公开提供了公开的漏洞代码,以及在8月为CVE-2023-29360提供了漏洞。后者在2023年6月公开披露,但直到2023年9月才出现了对该漏洞的利用。

It's assessed that the threat actors purchase these exploits rather than developing them in-house owing to the fact that they are used as an external 64-bit executable and are not as heavily obfuscated as the malware's core module.

"Raspberry Robin's ability to quickly incorporate newly disclosed exploits into its arsenal further demonstrates a significant threat level, exploiting vulnerabilities before many organizations have applied patches," the company said.

据评估,威胁行为者购买这些漏洞而不是自行开发,原因是它们被用作外部64位可执行文件,并且没有像恶意软件的核心模块那样被严密混淆。"Raspberry Robin之能够迅速将新披露的漏洞纳入其武器库进一步证明了其重大威胁水平,在许多组织应用补丁之前利用了漏洞,"该公司说。

One of the other significant changes concerns the initial access pathway itself, leveraging rogue RAR archive files containing Raspberry Robin samples that are hosted on Discord.

另一个重要变化涉及初始访问路径本身,利用在Discord上托管的包含Raspberry Robin样本的恶意RAR存档文件。

Also modified in the newer variants is the lateral movement logic, which now uses PAExec.exe instead of PsExec.exe, and the command-and-control (C2) communication method by randomly choosing a V3 onion address from a list of 60 hardcoded onion addresses.


"It starts with trying to contact legitimate and well-known Tor domains and checking if it gets any response," Check Point explained. "If there is no response, Raspberry Robin doesn't try to communicate with the real C2 servers."

"它开始尝试联系合法而知名的Tor域并检查是否收到任何响应,"Check Point解释道。"如果没有响应,Raspberry Robin则不尝试与真实的C2服务器通信。"

原文始发于微信公众号(知机安全):Raspberry Robin恶意软件升级,使用Discord传播和新的漏洞

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2024年2月12日14:08:13
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Raspberry Robin恶意软件升级,使用Discord传播和新的漏洞https://cn-sec.com/archives/2488401.html


匿名网友 填写信息