Jump to content
  • Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe

    alf9872000

    • 2 comments
    • 487 views
    • 3 minutes
     Share


    • 2 comments
    • 487 views
    • 3 minutes

    Financial and insurance sectors in Europe have been targeted by the Raspberry Robin worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar.

     

    "What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday.

     

    The intrusions, observed against Spanish and Portuguese-speaking organizations, are notable for collecting more victim machine data than previously documented, with the malware now exhibiting sophisticated techniques to resist analysis.

     

    Raspberry Robin, also called QNAP worm, is being used by several threat actors as a means to gain a foothold into target networks. Spread via infected USB drives and other methods, the framework has been recently put to use in attacks aimed at telecom and government sectors.

     

    Microsoft is tracking the operators of Raspberry Robin under the moniker DEV-0856.

     

    Security Joes' forensic investigation into one such attack has revealed the use of a 7-Zip file, which is downloaded from the victim's browser via social engineering and contains an MSI installer file designed to drop multiple modules.

     

    hacking.png
     

    In another instance, a ZIP file is said to have been downloaded by the victim through a fraudulent ad hosted on a domain that's known to distribute adware.

     

    The archive file, stored in a Discord server, contains encoded JavaScript code that, upon execution, drops a downloader that's protected with numerous layers of obfuscation and encryption to evade detection.

     

    The shellcode downloader is primarily engineered to fetch additional executables, but it has also seen significant upgrades that enables it to profile its victims to deliver appropriate payloads, in some cases even resorting to a form of trickery by serving fake malware.

     

    This involves collecting the host's Universally Unique Identifier (UUID), processor name, attached display devices, and the number of minutes that have elapsed since system startup, along with the hostname and username information that was gathered by older versions of the malware.

     

    The reconnaissance data is then encrypted using a hard-coded key and transmitted to a command-and-control (C2) server, which responds back with a Windows binary that's then executed on the machine.

     

    "Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plaintext username and hostname, now has a robust RC4 encrypted payload," threat researcher Felipe Duarte said.

     

    Source


    User Feedback

    Recommended Comments



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...