Reported for the first time by Red Canary in 2021, Raspberry Robin was the 9th most prevalent threat in 2023 according to their “2024 Threat Detection Report”. Starting as a worm, it evolved to become an initial access broker for other threat actors. The success of Raspberry Robin comes from its constantly evolving evasion capabitilies, […]
Good day everyone!
I have recently be researching worms and I wanted to share an article that was useful in identifying the Tactics, Techniques, and Procedures (TTPs) and behaviors associated with them. The #RaspberryRobin worm has been around for a while and reported on by Check Point Software Technologies Ltd researchers. This time around the researchers highlight more technical aspects and new capabilities but a couple of tactics that stood out to me was User Account Control (UAC) bypass to elevate privileges and the abuse of the registry run key to establish persistence. It's been an interesting topic to research and I hope you enjoy this article! Happy Hunting!
RASPBERRY ROBIN KEEPS RIDING THE WAVE OF ENDLESS 1-DAYS
https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/
#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting
Key Findings Introduction Raspberry Robin is a widely distributed worm first reported by Red Canary in 2021. Its capabilities and evasions in addition to its very active distribution made it one of the most intriguing malware out there. We at Check Point Research published an article a couple of months ago using Raspberry Robin as an example […]
"Raspberry Robin's Advanced Evasion 🐦🔒"
Check Point's investigation into Raspberry Robin reveals sophisticated malware with stealth capabilities. Raspberry Robin now disguises itself as Windows components and uses 1-day LPE exploits quickly, showing an escalation in cybercriminal abilities. Check Point's article discusses Raspberry Robin's evolving tactics, including its use of two new 1-day LPE exploits before they're publicly disclosed, suggesting access to exploit sellers or in-house development.
Raspberry Robin has improved its evasion techniques, changing communication methods and movement tactics to avoid detection. It masquerades as a legitimate Windows component and serves as an initial access point for other cybercrime groups. The worm rapidly adapts, using exploits shortly after disclosure to maintain effectiveness.
It is distributed through Discord and is linked with groups like #EvilCorp and #TA505. Stay updated and vigilant! #CyberSecurity #MalwareEvolution #RaspberryRobin #LPE #InfoSec
For more details, read the full article: Check Point Research.
Key Findings Introduction Raspberry Robin is a widely distributed worm first reported by Red Canary in 2021. Its capabilities and evasions in addition to its very active distribution made it one of the most intriguing malware out there. We at Check Point Research published an article a couple of months ago using Raspberry Robin as an example […]
Good day everyone! The ReliaQuest Threat Research team recently provided a wrap up of the most commonly used loaders, the top 80% which comprised of only three different malware! These big three are #QBot, #SocGholish, and #RaspberryRobin. THEN, they not only provided the data sheet to provide to your management or C-suite, they broke them down even further to include technical details as well! Thank you to the Threat Research team for such a great report, I hope you enjoy it as much as I did, and Happy Hunting!
The 3 Malware Loaders Behind 80% of Incidents
https://www.reliaquest.com/blog/the-3-malware-loaders-behind-80-of-incidents/
#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
Loader malware is working behind the scenes in many organizations' environments, doing the heavy lifting that helps an infection spread. ReliaQuest has picked out the most commonly observed loaders and outlined why SOC analysts should worry about them, plus how to defend against them.
I've read and analysed last week's infosec news, so you don't have to - get up to speed on the latest in hacks, malware, tradecraft and more with this week's newsletter:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-d72?sd=pf
A vulnerability in the widely-used, open-source JsonWebToken package has highlighted the continued reliance on vendors for supply chain security.
It's not just APTs - cyber crims are eyeing off kernel space, with #ScatteredSpider/#UNC3944 abusing the #BYOVD technique in an attempt to load their malicious driver into kernel space and subvert EDR controls.
We take a look at research into #RaspberryRobin infrastructure - it's multi-tiered, growing, and highly flexible...but also vulnerable to takeover. Will this be the next #Andromeda, still spreading and hijacked by a 3rd-party in 10 years time?
#Fortinet warns an unknown, stealth-conscious actor with a "deep understanding of #FortiOS" has been seen exploiting the month-old FortiOS vulnerability (CVE-2022-42475) to drop additional malware & subvert logging.
There's a tonne more interesting reporting and tradecraft that I can't get to in this post, but you can find them in the newsletter - check it out, and subscribe to get the latest issues straight to your inbox, and support my work!
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-d72?sd=pf
#infosec #CyberAttack #Hacked #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #redteam #soc
#RaspberryRobin 🪱 (REF: https://blog.sekoia.io/raspberry-robins-botnet-second-life/)
'Clean' C2 domains:
/a7k.ro
/a5az.com
/v4a3.com
/4w.pm
/hlv1.com
/ubv5.com
/c43p.com
/2ipn.com
'Clean' compromised QNAP:
151.83.67.5
84.97.18.146
88.130.94.229
188.10.57.97
'New' exploited QNAP:
61.93.39.13
94.14.45.160
Brad
Sebastian
The Threat Codex
Just Another Blue Teamer
🛡 H3lium@infosec.exchange/:~# 
Opalsec 
Germán Fernández 