The Raspberry Robin worm has developed new features to increase its attack capability and persistence. The malicious entity started its emergence in September 2021, and since then, it has evolved into a significant threat to many organisations.
According to researchers, the Raspberry Robin now includes a highly obfuscated malware strain that targets many European countries’ financial and insurance services. The initial report is that the new upgrades have allowed its operators to suddenly collect more data from its victims than its previous campaigns.
The most compromised organisations during the recent rampage of the Raspberry Robin operators are the Spanish and Portuguese-speaking firms.
Researchers found that the Raspberry Robin group downloads a zip file that contains an MSI installer.
Based on reports, the researchers analysed a sample of the Raspberry Robin attack and discovered that the attackers downloaded a 7-Zip archive containing an MSI installer to drop several modules.
In a related incident, the attackers deceived a victim into downloading a ZIP file through a fraudulent advertisement portrayed over a compromised domain page. The researchers recovered the file from a Discord server that kept an encoded JS code and dropped a downloader obfuscated under several layers of encryption.
The different malware versions are more sophisticated, and the command-and-control server has a substantial RC4 encrypted payload.
Currently, the Raspberry Robin operators have reportedly improved their post-exploitation capabilities, which include lateral movement, detection bypass, and exploiting well-known cloud infrastructures of GitHub, Azure, and Discord.
The malware devs included extra code obfuscation and other functionalities to avoid security kits and analysis. Its malware protection feature has about five layers of defence mechanism before the actors operate the malicious code.
The latest updates of the worm enabled it to launch payloads as per the victim profile, while the shellcode downloader commonly retrieves extra executables.
The Raspberry Robin authors have been on a tear in upgrading its abilities to become a more significant threat. European entities should also improve their security since this group is heavily targeting the continent.
