Raspberry Robin devs are buying exploits for faster attacks

One of most important malware loaders to cybercrims who are jumping on vulnerabilities faster than ever

Researchers suspect the criminals behind the Raspberry Robin malware are now buying exploits for speedier cyberattacks.

An exploit developer is thought by infosec pros to be either on the Raspberry Robin payroll or a close contact that sells them to the group – most likely the latter. That's according to Check Point Research (CPR) which has tracked how long it takes for vulnerability exploits to be added as features to the malware.

In 2022, Raspberry Robin added exploits for vulnerabilities that were up to 12 months old, such as CVE-2021-1732, but this has quickly switched to those less than a month old, like CVE-2023-36802

It means the criminals behind it are prioritizing the speed of development to maximize their chances of successful attacks.

"Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed," said CPR. "Those one-day exploits were not publicly disclosed at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a zero-day and was sold on the dark web."

Very few knew about CVE-2023-36802 until Microsoft addressed it as part of its September 2023 Patch Tuesday updates. However, Cyfirma spotted an exploit for it being sold on the dark web as early as February of that year, seven months before the security advisories began popping up.

The earliest signs of Raspberry Robin abusing CVE-2023-36802 came in October, just weeks after Patch Tuesday and the same month that public exploit code was made available.

Researchers believe this points to the team's access to a developer given the time it took to start making use of the vulnerability, especially compared to a year earlier when it was using year-old vulns.

It is possible the Raspberry Robin team stumbled upon the February exploit and bought that, or someone in-house may have quickly developed their own after spotting it in Microsoft's update list, but this is seen as the less likely option.

Another case from earlier in 2023 also pointed to the possibility of Raspberry Robin's ties to sophisticated developers.

"After looking at samples of Raspberry Robin prior to October, we found that it also used an exploit for CVE-2023-29360," said CPR. "This vulnerability was publicly disclosed in June and was used by Raspberry Robin in August. Even though this is a pretty easy vulnerability to exploit, the fact that the exploit writer had a working sample before there was a known exploit in GitHub is impressive as is how quickly Raspberry Robin used it.

"This exploit also has the same loader and the same obfuscation scheme for the strings as the CVE-2023-36802 exploit and the flow is similar. Interestingly, this vulnerability is also in the mskssrv.sys, meaning the exploit writer is working on this driver. We may see other vulnerabilities in the driver being exploited in the wild."

Analysis of the malware showed that these exploits were being used as external 64-bit executables, which to the CPR researchers indicates that they were bought rather than developed in-house.

"If the Raspberry Robin authors were the developers of the exploits, then they would have probably used the exploits in the main component itself," said CPR. "In addition, the exploits would be packed in the same way and have the same format as the different stages of the main component."

The fact that these executables were 64-bit only hints towards outside development, since Raspberry Robin was developed for both 32-bit and 64-bit architectures.

The abuses also didn't use the same high degree of obfuscation techniques as Raspberry Robin's main component does, such as control flow flattening and variable masking.

Raspberry Robin plays an important role in the world of cybercrime and is trusted by many of the major criminal groups that are tracked by security researchers, such as EvilCorp, TA505, IcedID, and various ransomware affiliates.

Last year it was named as one of the three malware loaders that were jointly responsible for 80 percent of cyberattacks between January and August 2023, alongside QBot and SocGholish.

In publishing its suspicions about Raspberry Robin's shift toward buying exploits, CPR also found an array of new features had been added. The malware is well known for its regular updates, especially focused on anti-evasion techniques, and the latest version is no different.

It comes loaded with new methods to prevent researchers from analyzing its inner workings as well as new routines for surviving system shutdowns. Minor updates to its communication and lateral movement logic have also made it through the pipeline. ®

More about


Send us news

Other stories you might like