Raspberry Robin Malware Upgrades Discord Spreads New Exploits

February 09, 2024NewsroomMalware / Dark Web

Raspberry Robin Malware

The operators of Raspberry Robin now uses two new one-day exploits to achieve local privilege escalation, although the malware continues to refine and improve to make it more stealthy than ever.

This means that “Raspberry Robin has access to an exploit vendor or its authors have developed exploits themselves for a short time,” Check Point SAYS in a report this week.

Raspberry Robin (aka QNAP worm), first documented in 2021, is an evasive malware family known to act as one of leading access facilitators for other malicious payloads, including ransomware.

Attributed to a threat actor named Storm-0856 (formerly DEV-0856), it is spread through multiple entry vectors, including infected USB drives, which Microsoft describes as part of a “complex and connected malware ecosystem” associated with other e-crimes. groups like Evil Corp, Silence, and TA505.


Raspberry Robin’s use of day-one exploits such as CVE-2020-1054 and CVE-2021-1732 for privilege escalation is highlighted earlier through Check Point in April 2023.

The cybersecurity firm, which has detected “massive attacks” since October 2023, said threat actors are implementing more anti-analysis and obfuscation methods to make detection and analysis more difficult.

“Most importantly, Raspberry Robin continued to use various exploits for the vulnerabilities either before or for a short time after they were publicly disclosed,” it said.

“Those one-day exploits were not disclosed to the public at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a zero-day and sold on the dark web. “

A report from Cyfirma late last year Revelation which is an exploit for CVE-2023-36802 announced on dark web forums in February 2023. Seven months before Microsoft and CISA released an advisory on active exploitation. It was patched by the Windows manufacturer in September 2023.

Raspberry Robin Malware

Raspberry Robin is said to have started using an exploit for the flaw in October 2023, the same month a public exploit code was made available, as well as for CVE-2023-29360 in August. The latter was publicly disclosed in June 2023, but an exploit for the bug did not appear until September 2023.


It is estimated that threat actors purchase these exploits instead of developing them in-house due to the fact that they are used as an external 64-bit executable and are not as heavily hidden as core module of the malware.

“Raspberry Robin’s ability to quickly incorporate newly disclosed exploits into its arsenal further demonstrates a significant threat level, exploiting vulnerabilities before many organizations have applied patches ,” the company said.

One of the other important changes concerns the initial access path itself, which uses rogue RAR archive files with Raspberry Robin samples hosted on Discord.

Also changed in newer variants is the lateral movement logic, which now uses PAExec.exe instead of PsExec.exe, and the command-and-control (C2) communication method by randomly selecting a V3 onion address from a list of 60 hardcoded onions. addresses.

“It starts by trying to contact legitimate and well-known Tor domains and checking if it gets any response,” Check Point explained. “If there is no response, Raspberry Robin will not attempt to communicate with the real C2 server.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment