Saturday, December 7, 2024
HomeCyber Security NewsRaspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin Employs TOR Network For C2 Servers Communication

Published on

SIEM as a Service

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection and analysis by infiltrating systems primarily via USB drives, utilizing the TOR network for covert communication with its C2 servers. 

The malware’s multi-layered structure and extensive use of anti-analysis methods hinder security measures.

Raspberry Robin poses a significant threat by exploiting system vulnerabilities and propagating through networks, often serving as a conduit for deploying other malicious payloads like Bumblebee. 

- Advertisement - SIEM as a Service

It employs a multi-layered obfuscation technique to evade detection and begins with anti-analysis checks, including code emulation detection and write-combining techniques to identify virtual environments. 

Raspberry Robin return address patching.

Then it decompresses and decrypts subsequent layers, each with its own set of obfuscation methods.

If any anti-analysis check fails, a decoy payload is executed to divert attention from the malicious core.

The final layer, once decrypted, contains the core payload, which is typically a backdoor or information stealer.

The sixth layer of Raspberry Robin employs various anti-analysis techniques to evade detection, which checks for common analysis environments, virtual machines, and debuggers.

If any suspicious activity is detected, the layer executes a decoy payload. Otherwise, it decrypts and executes the final stage, marking the successful bypass in the Process Environment Block.

It leverages a multi-layered obfuscation approach to hinder analysis by employing advanced techniques like control flow flattening, bogus control flow, string encryption, and indirect calls. 

To further complicate the analysis, it incorporates complex key derivation and dependency chains, requiring the resolution of global variables and function parameters, where these layers of obfuscation make it challenging to reverse engineer the malware’s behavior and identify its malicious intent.

 Diagram of the multi-layered architecture of Raspberry Robin.

There are various techniques for persistence, propagation, and evasion, which employ registry manipulation, file system operations, and process injection to establish persistence. For propagation, it targets remote desktop sessions and network shares. 

To evade detection, it uses anti-debugging techniques, process hiding, and obfuscation, modifies system settings, and disables security features to hinder analysis. 

Legitimate tools like PsExec and PAExec propagate laterally within a network, generating self-extracting payloads using IExpress and executing them on compromised hosts. 

To elevate privileges, it employs various UAC bypass techniques and exploits, including CVE-2024-26229 and CVE-2021-31969, which also modify firewall rules and add exclusions to evade detection. 

The malware’s modular design and use of legitimate tools make it resilient and difficult to detect, while the TOR network for anonymous communication initially uses a legitimate onion domain to establish a secure channel. 

It then injects malicious code into a system process, using techniques like process hollowing and APC injection, which downloads and executes a payload and is encrypted and obfuscated to evade detection. 

According to Zscaler, it collects extensive system information, including network details, hardware specifications, and software installations, and sends it to a C2 server by modifying the initial executable file to generate a unique identifier for the infected host.

Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...