The new investigation has revealed almost 200 unique commands and control (C2) related to malicious software called Raspine Robin.
“Raspberry Robin (also known as Roshtyak or Storm-0856) is a complex and developing actor threats providing primary brokers’ services (IAB) by many criminal groups, many of which are connected with Russia,” “Silent Push” – Note In a report that shared with Hacker News.
Out of it appearance In 2019, malicious program has become Pipeline for various malicious strains such as Socgholish, Dridex, Lockbit, ICEDID, Bumblebee and TRUEBOT. It is also called the Qnap worm of the use of compromised QNAP devices to obtain a useful load.
Over the years of the Raspberry Robin attack networks, the new distribution method has been given by downloading it using Archives and Files Windows Sent as Inputs using a messaging service discord, not to mention what not to mention acquisition of one -day feats To achieve local escalation of privileges before they were publicly revealed.
There are also some evidence To assume that malicious software is offered to other actors as Batteian payments for installation (PPI) for the delivery of malicious software in the next step.
In addition, Raspberry Robin infections have enabled Mechanism of distribution based on USB This involves the use of a compromised USB -a drive containing a Windows Fast Access File (LNK), disguised in a folder to activate the deployment of malicious software.
US Government Ever since disclosed The fact that the Russian national actor threatened when the cadet blizzard may have used Raspberry Robin as an initial accessory.
In the latest analysis, conducted together with Team Cymru, in his latest analysis found one IP -Drace, which was used as a relay to connecting all the compromised Qnap devices, which eventually led to the opening of more than 180 unique C2 domains.
“One IP -Drass was connected through Tor Treays, which is probably how the network operators released new teams and interacted with compromised devices,” the company said. “The IP used for this relay was in the EU country.”
A Deeper Investigation of the Infrastructure Has Revealed that the raspberry robin C2 Domains Are Short – EG, Q2 (.) Rs, M0 (.) WF, and 2i (.) PM – and 2i (.) Through IPS Using A machinery called Fast flow Trying to make them difficult to remove them.
Some of the upper top-level Raspberry Robin (TLDS) top-level domains. WF, .pm, .re, .nz, .eu, .Gy, .tw and .cx, with domains registered using niche registrars such as Sarek Oy, 1api GMBH, Netim, Epag (.) De, Central Ltd and Open. Most C2 domains have names in the Bulgarian company called Cloudns.
“The use of Raspberry Robin with Russian government threats is agreed with its history of work with innumerable other threats, many of which are connected with Russia,” the company said. “These include Lockbit, Dridex, Socgholish, Dev-0206, Evil Corp (Dev-0243), Fauppod, Fin11, Clop Gang and Lace Tempest (Ta505).”
