A recent investigation has revealed the existence of nearly 200 unique command-and-control (C2) domains linked to Raspberry Robin, a sophisticated malware responsible for facilitating initial access to various criminal networks. Identified as a complex threat actor also known as Roshtyak or Storm-0856, Raspberry Robin serves numerous groups, many of which have ties to Russia, according to a report from Silent Push shared with The Hacker News.
Emerging in 2019, Raspberry Robin has become a key player in the distribution of various malicious strains, such as SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot. The malware derives its name from its association with compromised QNAP devices, which are utilized to deliver its payload.
Over time, the attack strategies linked to Raspberry Robin have evolved to include new distribution methods. Current tactics involve the use of Discord for sharing zip archives and Windows Script Files as attachments, allowing for local privilege escalation through one-day exploits before they are publicly revealed. Additionally, it appears that Raspberry Robin is marketed as a pay-per-install (PPI) service for other threat actors seeking to deploy further malicious software.
Raspberry Robin infections also utilize a unique USB-based propagation method that leverages a compromised USB drive. This drive contains a Windows shortcut (LNK) file masked as a folder designed to initiate the malware installation.
The U.S. government has indicated that the Russian state-sponsored threat group known as Cadet Blizzard may have leveraged Raspberry Robin to gain initial access to networks.
Recent analyses by Silent Push and Team Cymru located a single IP address serving as a relay for data exchanges between all compromised QNAP devices, leading to the identification of over 180 unique C2 domains. This relay employed Tor anonymity techniques to facilitate command issuing and interaction with infected devices.
Investigations further revealed that the C2 domains associated with Raspberry Robin are typically short and frequently rotate among compromised devices. They utilize a method known as "fast flux," which complicates efforts to dismantle the infrastructure behind them. Notable top-level domains (TLDs) linked to Raspberry Robin include .wf, .pm, .re, .nz, .eu, .gy, .tw, and .cx, with registration through lesser-known registrars such as Sarek Oy and CentralNic Ltd.
The ongoing associations between Raspberry Robin and Russian government threat actors reflect a broader network of serious cybersecurity threats involving various well-known groups like LockBit, Dridex, and Evil Corp, among others.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.