A brand new investigation has unearthed just about 200 distinctive command-and-control (C2) domain names related to a malware referred to as Raspberry Robin.
“Raspberry Robin (sometimes called Roshtyak or Typhoon-0856) is a fancy and evolving danger actor that gives preliminary get right of entry to dealer (IAB) services and products to a large number of felony teams, a lot of that have connections to Russia,” Silent Push mentioned in a file shared with The Hacker Information.
Since its emergence in 2019, the malware has turn into a conduit for more than a few malicious traces like SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot. It is also known as a QNAP computer virus owing to using compromised QNAP units to retrieve the payload.
Through the years, Raspberry Robin assault chains have added a brand new distribution manner that comes to downloading it by way of archives and Home windows Script Information despatched as attachments the use of the messaging provider Discord, to not point out obtaining one-day exploits to reach native privilege escalation earlier than they have been publicly disclosed.
There may be some proof to signify that the malware is obtainable to different actors as a pay-per-install (PPI) botnet to ship next-stage malware.
Moreover, Raspberry Robin infections have included a USB-based propagation mechanism that comes to the use of a compromised USB force containing a Home windows shortcut (LNK) record disguised as a folder to turn on the deployment of the malware.
The U.S. govt has since printed that the Russian countryside danger actor tracked as Cadet Snowfall could have used Raspberry Robin as an preliminary get right of entry to facilitator.
Silent Push, in its newest research undertaken at the side of Workforce Cymru, discovered one IP deal with that was once getting used as an information relay to glue all compromised QNAP units, in the end resulting in the invention of over 180 distinctive C2 domain names.
“The singular IP deal with was once hooked up thru Tor relays, which is most probably how community operators issued new instructions and interacted with compromised units,” the corporate mentioned. “The IP used for this relay was once founded in an E.U. nation.”
A deeper investigation of the infrastructure has printed that the Raspberry Robin C2 domain names are brief – e.g., q2[.]rs, m0[.]wf, h0[.]wf, and 2i[.]pm – and that they’re hastily turned around between compromised units and thru IPs the use of a method referred to as rapid flux so that you can make it difficult to take them down.
One of the vital peak Raspberry Robin top-level domain names (TLDs) are .wf, .pm, .re, .nz, .european, .gy, .tw, and .cx, with domain names registered the use of area of interest registrars like Sarek Oy, 1API GmbH, NETIM, Epag[.]de, CentralNic Ltd, and Open SRS. A majority of the known C2 domain names have identify servers on a Bulgarian corporate named ClouDNS.
“Raspberry Robin’s use by way of Russian govt danger actors aligns with its historical past of running with numerous different severe danger actors, a lot of whom have connections to Russia,” the corporate mentioned. “Those come with LockBit, Dridex, SocGholish, DEV-0206, Evil Corp (DEV-0243), Fauppod, FIN11, Clop Gang, and Lace Tempest (TA505).”