Skip to content

Raspberry Robin Detected ITW Targeting Insurance & Financial Institutes In Europe

Table of Contents

Recent attacks documented in previous months seem to be orchestrated by hacking groups using a framework called Raspberry Robin. This well-designed automated framework allows attackers post-infection capabilities to evade detection, move laterally and leverage trusted cloud infrastructures of known data hosting providers such as Discord, Azure & Github, among rest.
Threat researchers Felipe Duarte, Charles Lomboni & Shlomit Chkool, responded to similar incidents twice this month and in each case were able to dissect the downloader from its parent wrapper and unveil the malware which pointed to the aforementioned Raspberry Robin framework.
What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble. Dynamically peeling back one layer at a time, the researchers were ultimately able to find the inner config of the malware and get the Indicators of Compromise (IOCs) contained within it. Reading recent articles from TrendMicro & Microsoft, the researchers were able to successfully attribute the attack to Raspberry Robin, as the IOCs overlapped with the Raspberry Robin infrastructure and Tactics, Techniques & Procedures (TTPs). In both attacks, the same IP address stood out - 85.56.236[.]45.
The IP address was spotted by @1ZRR4H, researcher at cybersecurity firm CronUp, who linked it to a Cybereason article. In his tweet he also mentions the use of a QNAP server, which is the technology behind the infamous IP address.
"The difference between what we saw in our investigation comparing to previously documented research is that Raspberry Robin operators suddenly began to collect much more data about their victims", said Threat Researcher, Charles Lomboni.
"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plain-text username and hostname, now has a robust RC4 encrypted payload," added Senior Threat Researcher Felipe Duarte, who led the investigation along with the company's CEO & Founder, Ido Naor.
Security Joes incident response team has learned that hacking groups are using a new version of Raspberry Robin to attack financial institutes in Europe.
Raspberry Robin Detected ITW Targeting Insurance & Financial Institutes In Europe
Recent attacks documented in previous months seem to be orchestrated by hacking groups using a framework called Raspberry Robin. This well-designed automated framework allows attackers post-infection capabilities to evade detection, move laterally and leverage trusted cloud infrastructures of known…
Full technical analysis can be read here

#CyberEspionage #DataStealing #Campaign #Europe #Finance #Analysis #IoCs

Latest

2024-117: Zero-Day Vulnerabilities in Palo Alto Networks PAN-OS

2024-117: Zero-Day Vulnerabilities in Palo Alto Networks PAN-OS

Palo Alto Networks released security updates for two actively exploited zero-day vulnerabilities in Palo Alto Networks PAN-OS. If exploited, these vulnerabilities could allow a remote unauthenticated attacker to gain administrator privileges, or a PAN-OS administrator to perform actions on the firewall with root privileges. It recommended applying the updates and

Members Public