FOCUS MODE
EXTRACT IOC
Threat Research

Raspberry Robin: Copy Shop USB Worm Evolves to Initial Access Broker Enabling Other Threat Actor Attacks

admin
Raspberry Robin: Copy Shop USB Worm Evolves to Initial Access Broker Enabling Other Threat Actor Attacks
The article discusses the ongoing threat posed by Raspberry Robin, a sophisticated initial access broker (IAB) linked to various cybercriminal organizations, particularly those connected to Russia. It highlights recent findings such as the discovery of nearly 200 unique command and control domains, the involvement of Russian GRU’s Unit 29155, and the threat actor’s evolution in attack methodologies. The importance of collaboration to combat this threat is emphasized, along with insights into its tactics, techniques, and targets. Affected: Raspberry Robin, Russian GRU, various industries, global enterprises

Keypoints :

  • Discovery of nearly 200 unique Raspberry Robin command and control (C2) domains.
  • Collaboration with Team Cymru led to an updated NetFlow analysis and infrastructure mapping.
  • The involvement of Russian GRU’s Unit 29155 signifies a more organized threat landscape.
  • Raspberry Robin evolved from USB worm infections to targeting hardened corporate networks.
  • Collaborative efforts are essential in tracking and mitigating Raspberry Robin attacks.
  • Initial Access Broker (IAB) services provided to various cybercriminal groups.
  • Use of advanced tactics, including multi-layered malware packing and N-day exploit deployment.
  • Emerging attack vectors include exploitation through infected USB drives and archive files shared via Discord.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Raspberry Robin uses standard protocols for communication with C2 servers.
  • T1203 – Exploitation for Client Execution: Utilizes social engineering techniques to execute malicious payloads through user interaction with infected files.
  • T1190 – Exploit Public-Facing Application: Targets known vulnerabilities in QNAP and IoT devices to establish C2 network.
  • T1046 – Network Service Discovery: Discovery and tracking of connected devices within its compromised network.
  • T1566.001 – Phishing: Archive files sent through messaging services to lure victims into executing malicious content.

Indicator of Compromise :

  • [Domain] q2[.]rs
  • [Domain] m0[.]wf
  • [Domain] h0[.]wf
  • [Domain] 2i[.]pm
  • [IP Address] 91.XX.XXX[.]XXX (IP used for data relay)

Full Story: https://www.silentpush.com/blog/raspberry-robin/

Tags: DNS, PRIVILEGE, PAYLOAD, IOT, SOCIAL ENGINEERING, RUSSIA, BOTNET, CRITICAL INFRASTRUCTURE