Raspberry Robin Analysis
Essential information
- Published
- 19/11/2024 21:59
- Modified
- 20/11/2024 09:29
- Tags
- 2024-11-19 CVE-2021-31969 CVE-2024-26229 anti-analysis network-propagation obfuscation privilege-escalation raspberry robin tor usb-spreading
- Related entities
- 2 vulnerabilities (cve), 126 observables, 20 techniques (mitre), 2 malware
Description
Raspberry Robin, a malicious downloader discovered in 2021, has been circulating for years, primarily spreading through infected USB devices. It stands out due to its unique binary-obfuscation techniques, extensive use of anti-analysis methods, and privilege escalation exploits. The malware uses multiple code layers, each employing various obfuscation techniques. It communicates with command-and-control servers via the TOR network and can propagate through networks. Raspberry Robin employs numerous anti-analysis and evasion methods, including CPU performance checks, Windows API manipulations, and registry modifications. It uses UAC-bypass methods and local privilege escalation exploits to elevate privileges. The malware's primary goal is to download and execute payloads on compromised hosts, collecting extensive system information before requesting the payload.