A new investigation unearthed nearly 200 unique command and control (C2) domains related to malware called Raspberry Robin.
“Raspberry Robin (also known as Roshtyak or Storm-0856) is a complex and evolving threat actor providing early access broker (IAB) services to many criminal groups, many of whom have connections with Russia.”
Since its arrival in 2019, malware has become a conduit for a variety of malicious strains, including Socgholish, Dridex, Lockbit, Icedid, Bumblebee, and TrueBot. It is also known as a QNAP worm because it uses compromised QNAP devices to obtain the payload.
Over the years, the Raspberry Robin Attack chain has added a new distribution method to download it via archives sent as attachments using messaging services inconsistencies and Windows script files.
There is also some evidence to suggest that malware will be provided to other actors as a Pay-per Installation (PPI) botnet to provide the next stage of malware.
Additionally, Raspberry Robin Infections incorporates a USB-based propagation mechanism that involves using a compromised USB drive containing Windows Shortcuts (LNK) files disguised as folders to activate malware deployment.
Since then, the US government has revealed that the Russian nation-state threat actors were tracked for Cadet Blizzard’s use of raspberry robin as the first access facilitator.
In a recent analysis done with Team Cymru, Silent Push found one IP address used as a data relay to connect all compromised QNAP devices, ultimately leading to the discovery of over 180 unique C2 domains.
“The singular IP address is connected via a Tor relay, and is likely a way for the network operator to issue new commands and interact with the compromised devices,” the company said. “The IP used for this relay was based in an EU country.”
A deeper investigation of the infrastructure revealed that the Raspberry Robin C2 domain is short.[.]Rs, M0[.]WF, H0[.]WF, and 2i[.]PM – And they are spinning quickly through compromised devices and IPS, using a technique called Fast Flux to challenge them to defeat them.
Parts of the top raspberry robin top level domain (TLD) are .wf, .pm, .re, .nz, .eu, .gy, .tw, and .cx.[.]DE, CentralNic Ltd, and Open SRS. The majority of the identified C2 domains have name servers in a Bulgarian company named Cloudns.
“The use of raspberry robin by the Russian government’s threat actors is consistent with a history of working with countless other serious threat actors, many of whom have ties to Russia,” the company said. “These include Lockbit, Dridex, Socgholish, Dev-0206, Evil Corp (Dev-0243), Fauppod, Fin11, Clop Gang, and Lace Tempest (TA505).”
Source link
