The Raspberry Robin Worm Evolves to Attack Europe’s Financial and Insurance Industries

The Raspberry Robin worm has targeted the financial and insurance sectors in Europe, as the malware continues to evolve its post-exploitation capabilities while remaining undetected.

Monday’s release of a new report by Security Joes states, “The malware is distinctive in that it is heavily obfuscated and extremely difficult to disassemble statically.”

The intrusions against Spanish- and Portuguese-speaking organizations are notable for collecting more victim machine data than was previously documented, with the malware now exhibiting sophisticated techniques to evade analysis.

Multiple threat actors use Raspberry Robin, also known as the QNAP worm, to gain a foothold in target networks. The framework has recently been used in attacks against the telecom and government sectors, spreading via infected USB drives and other means.

Microsoft tracks Raspberry Robin operators using the identifier DEV-0856.

The forensic investigation conducted by the Security Joes into one such attack revealed the use of a 7-Zip file that is downloaded from the victim’s browser via social engineering and contains an MSI installer file designed to drop multiple modules.

In another instance, the victim is said to have downloaded a ZIP file through a malicious advertisement hosted on a domain known to distribute adware.

The archive file, stored on a Discord server, contains encoded JavaScript code that, upon execution, drops a downloader concealed by multiple layers of obfuscation and encryption.

The shellcode downloader is primarily designed to retrieve additional executables, but it has also undergone significant upgrades that enable it to profile its victims in order to deliver appropriate payloads, in some cases even serving fake malware.

This entails gathering the host’s Universally Unique Identifier (UUID), processor name, attached display devices, and the number of minutes since system startup, in addition to the hostname and username information gathered by earlier variants of the malware.

The reconnaissance data is then encrypted with a hard-coded key and transmitted to a command-and-control (C2) server, which response with a Windows binary that is ultimately executed on the compromised system.

“Not only did we discover a version of the malware that is several times more complex, but we also discovered that the C2 beaconing, which previously had a URL containing a plaintext username and hostname, now has a robust RC4 encrypted payload,” said threat researcher Felipe Duarte.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
Microsoft Patches Cross-Tenant Azure Data Access Vulnerability

December 23, 2022

Microsoft has silently patched an important-severity security flaw in Azure Cognitive Search (ACS) after an external researcher reported that a flawed feature enabled cross-tenant network bypass attacks. The vulnerability, discovered by researchers at Mnemonic, effectively removed the network and identity…

Get more info

Deals

Reviews

Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer

BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.

 

Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.