Recent attacks documented in previous months seem to be orchestrated by hacking groups using a framework called Raspberry Robin. This well-designed automated framework allows attackers post-infection capabilities to evade detection, move laterally and leverage trusted cloud infrastructures of known data hosting providers such as Discord, Azure & Github, among rest.
Threat researchers Felipe Duarte, Charles Lomboni & Shlomit Chkool, responded to similar incidents twice this month and in each case were able to dissect the downloader from its parent wrapper and unveil the malware which pointed to the aforementioned Raspberry Robin framework.
What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble. Dynamically peeling back one layer at a time, the researchers were ultimately able to find the inner config of the malware and get the Indicators of Compromise (IOCs) contained within it. Reading recent articles from TrendMicro & Microsoft, the researchers were able to successfully attribute the attack to Raspberry Robin, as the IOCs overlapped with the Raspberry Robin infrastructure and Tactics, Techniques & Procedures (TTPs). In both attacks, the same IP address stood out - 85.56.236[.]45.
The IP address was spotted by @1ZRR4H, researcher at cybersecurity firm CronUp, who linked it to a Cybereason article. In his tweet he also mentions the use of a QNAP server, which is the technology behind the infamous IP address.
"The difference between what we saw in our investigation comparing to previously documented research is that Raspberry Robin operators suddenly began to collect much more data about their victims", said Threat Researcher, Charles Lomboni.
"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plain-text username and hostname, now has a robust RC4 encrypted payload," added Senior Threat Researcher Felipe Duarte, who led the investigation along with the company's CEO & Founder, Ido Naor.
Security Joes incident response team has learned that hacking groups are using a new version of Raspberry Robin to attack financial institutes in Europe.
#CyberEspionage #DataStealing #Campaign #Europe #Finance #Analysis #IoCs