A new investigation has unearthed nearly 200 unique command-and-control (C2) domains associated with a malware called Raspberry Robin.
“Raspberry Robin (also known as Roshtyak or Storm-0856) is a complex and evolving threat actor that provides initial access broker (IAB) services to numerous criminal groups, many of which have connections to Russia,” Silent Push said in a report shared with The Hacker News.
Since its emergence in 2019, the malware has become a conduit for various malicious strains like SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot. It’s also referred to as a QNAP worm owing to the use of compromised QNAP devices to retrieve the payload.
Over the years, Raspberry Robin attack chains have added a new distribution method that involves downloading it via archives and Windows Script Files sent as attachments using the messaging service Discord, not to mention acquiring one-day exploits to achieve local privilege escalation before they were publicly disclosed.
There is also some evidence to suggest that the malware is offered to other actors as a pay-per-install (PPI) botnet to deliver next-stage malware.
Furthermore, Raspberry Robin infections have incorporated a USB-based propagation mechanism that involves using a compromised USB drive containing a Windows shortcut (LNK) file disguised as a folder to activate the deployment of the malware.
The U.S. government has since revealed that the Russian nation-state threat actor tracked as Cadet Blizzard may have used Raspberry Robin as an initial access facilitator.
Silent Push, in its latest analysis undertaken along with Team Cymru, found one IP address that was being used as a data relay to connect all compromised QNAP devices, ultimately leading to the discovery of over 180 unique C2 domains.
“The singular IP address was connected through Tor relays, which is likely how network operators issued new commands and interacted with compromised devices,” the company said. “The IP used for this relay was based in an E.U. country.”
A deeper investigation of the infrastructure has revealed that the Raspberry Robin C2 domains are short – e.g., q2[.]rs, m0[.]wf, h0[.]wf, and 2i[.]pm – and that they are rapidly rotated between compromised devices and through IPs using a technique called fast flux in an effort to make it challenging to take them down.
Some of the top Raspberry Robin top-level domains (TLDs) are .wf, .pm, .re, .nz, .eu, .gy, .tw, and .cx, with domains registered using niche registrars like Sarek Oy, 1API GmbH, NETIM, Epag[.]de, CentralNic Ltd, and Open SRS. A majority of the identified C2 domains have name servers on a Bulgarian company named ClouDNS.
“Raspberry Robin’s use by Russian government threat actors aligns with its history of working with countless other serious threat actors, many of whom have connections to Russia,” the company said. “These include LockBit, Dridex, SocGholish, DEV-0206, Evil Corp (DEV-0243), Fauppod, FIN11, Clop Gang, and Lace Tempest (TA505).”
