"Raspberry Robin Worm Hatches a Highly Complex Upgrade"

The complexity of the new version of the Raspberry Robin framework being used by hacking groups to attack Spanish- and Portuguese-speaking financial institutions has increased significantly, according to researchers. According to a report published by the cybersecurity company Security Joes on January 2, the group has used the same QNAP server for multiple rounds of attacks, but victim data is no longer in plaintext but rather RC4-encrypted, and the downloader mechanism has been updated with new anti-analysis capabilities. Raspberry Robin is a backdooring worm that infects PCs through Trojanized USB devices before spreading to other devices on a target's network. It also serves as a loader for other malware. Since May, when it was discovered nesting in enterprise networks, it has rapidly infected tens of thousands of endpoints and is evolving fast. The threat actor behind the worm is suspected to be part of a larger ecosystem that facilitates pre-ransomware operations. In the most recent version, the malware protection system has been enhanced to deploy at least five layers of protection prior to the deployment of malicious code, including a first-stage packer to obfuscate the code of the next stages of the attack and a shellcode loader. The following three levels consist of a second-stage loader Dynamic Link Library (DLL), intermediate shellcode, and shellcode downloader. The researchers explained that this sophisticated architecture makes the worm harder to detect and facilitates its lateral movement through networks. In addition, the analysis indicates that Raspberry Robin operators are now collecting more information on their victims than was previously reported. This article continues to discuss the new version of the Raspberry Robin framework. 

Dark Reading reports "Raspberry Robin Worm Hatches a Highly Complex Upgrade"