A new investigation has detected about 200 unique command-and-control (C2) domains associated with malware Raspberry robin,
Silent Push said in a report shared with hacker news, “Raspberry Robin (also known as Rosheti or Storm -0856) is a complex and developed danger actor that provides many criminal groups to an early access broker (IAB) services, many of which are connections to Russia.”
Since its emergence in 2019, malware has become a groove for various malicious strains such as Socolish, Drdex, Lockbit, Icdid, Bambalbal and Trubot. It is also referred to as QNAP worm due to the use of the QNAP devices compromised to retrieve the payload.
Over the years, the Raspberry Robin Attack Chen has added a new distribution method that includes downloading it through the archives and the Windows script files, which is sent as attached using the message service discord, not to mention a one -day exploits to increase local privileges before publicly disclosed.
There is also some evidence to suggest that malware is introduced to other actors as the Pay-Estall (PPI) Botnet as the next stage malware.
In addition, the rabin robin infections have covered a USB-based dissemination mechanism that includes using a compromised USB drive containing the Windows Shortcut (LNK) file as a folder to activate the deployment of malware.
The US government has since revealed that the actor with the danger of the Russian nation-state may have tracked it as a cadet blindard that he has used Robberry Robin as an early access facilitator.
Silent push, in its latest analysis made with the team Cymru, was found to be an IP address, which was being used as data relay to connect all compromised QNAP devices, which was eventually a pioneer for the discovery of more than 180 unique C2 domains.
The company said, “Eccentric IP address was connected through Tor Relay, which is possible how network operators issued new commands and interacted with compromised equipment,” the company said. “The IP used for this relay was based in the European Union country.”
A deep investigation into the infrastructure has revealed that raspberry robin C2 domains are low – eg, Q2[.]Rupee, m0[.]Wf, h0[.]WF, and 2i[.]PM – and that they are rolled in an attempt to make it challenging to move down between fast fluxes, using a technique called a technique between rapidly compromised equipment and through IPS.
Some of the top raspberry robin top-level domains (TLDs) are .WF, .PM, .R., .NZ, .eu, .GY, .TW, and .CX.[.]D, Central Limited, and Open SRS. Most of the identified C2 domains have a server on a Bulgarian company, named CloudNS.
The company said, “The Russian government’s threat using the Russian government’s use of rabiri robin align with its history of working with countless other serious threats, many of which are related to Russia.” “These include Lockbit, Drdex, Socolish, DEV -0206, Evil Corp (Dev -0243), Fapopod, Fin 11, Clop Gang and Les Tempast (TA505).”
