Raspberry Robin, a malicious downloader active since 2021, has undergone significant updates. It now employs improved obfuscation methods, including multiple initialization loops and flattened control flow, making brute-force decryption less effective. The network encryption algorithm has shifted from AES-CTR to ChaCha-20. A new local privilege escalation exploit (CVE-2024-38196) has been added to gain elevated privileges on targeted systems. The malware now embeds invalid command-and-control server domains using TOR onion addresses, complicating the extraction of Indicators of Compromise. Certain values, such as the RC4 key seed, are randomized per sample or campaign. Despite limited public attention, Raspberry Robin remains a significant threat due to its continuous improvements and evasion tactics. Author: AlienVault
Related Tags:
Roshtyak
T1080
T1553.002
T1564.003
privilege-escalation
encryption
T1027.005
Raspberry Robin
usb
Associated Indicators:
05C6F53118D363EE80989EF37CAD85EE1C35B0E22D5DCEBD8A6D6A396A94CB65
ipatoez4ldch3vabmz6lcawxtoogkmg5alxvwdm7fwzng7flvlz47ryd.onion
4l4abrrv5j7662dioqthd5fz5u4oxbpfradwt3ntliw2gfnikgers6qd.onion
wmdlzzdfkxikxrlw42rf75ug62semr3h6soc6tyoom3bb75zi7hjbrid.onion
csn3i3femv6dx362p4qesombr3e7gm5skcxkuqrymuaxeqqwmnrnvxyd.onion
soraykkm25es2phzeszxpinfhcbqgyn7i4tznb4atvks3gnsynm7avad.onion
wlfeie2rk6utw3y5aykjisr3yj6c7hme43st2weo4jmtok6zxw33hyad.onion
kykggujjvvag7p4nmptsfuyqrqtqiqqun3pimsuupecmpoez2gph4vqd.onion
z5qg6hpu7sxjyws2fqxei2peywu2tttq6lxs5ybxesgffqmjpedyeuyd.onion