Cyber Security News

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection and analysis by infiltrating systems primarily via USB drives, utilizing the TOR network for covert communication with its C2 servers. 

The malware’s multi-layered structure and extensive use of anti-analysis methods hinder security measures.

Raspberry Robin poses a significant threat by exploiting system vulnerabilities and propagating through networks, often serving as a conduit for deploying other malicious payloads like Bumblebee. 

It employs a multi-layered obfuscation technique to evade detection and begins with anti-analysis checks, including code emulation detection and write-combining techniques to identify virtual environments. 

Raspberry Robin return address patching.

Then it decompresses and decrypts subsequent layers, each with its own set of obfuscation methods.

If any anti-analysis check fails, a decoy payload is executed to divert attention from the malicious core.

The final layer, once decrypted, contains the core payload, which is typically a backdoor or information stealer.

The sixth layer of Raspberry Robin employs various anti-analysis techniques to evade detection, which checks for common analysis environments, virtual machines, and debuggers.

If any suspicious activity is detected, the layer executes a decoy payload. Otherwise, it decrypts and executes the final stage, marking the successful bypass in the Process Environment Block.

It leverages a multi-layered obfuscation approach to hinder analysis by employing advanced techniques like control flow flattening, bogus control flow, string encryption, and indirect calls. 

To further complicate the analysis, it incorporates complex key derivation and dependency chains, requiring the resolution of global variables and function parameters, where these layers of obfuscation make it challenging to reverse engineer the malware’s behavior and identify its malicious intent.

Diagram of the multi-layered architecture of Raspberry Robin.

There are various techniques for persistence, propagation, and evasion, which employ registry manipulation, file system operations, and process injection to establish persistence. For propagation, it targets remote desktop sessions and network shares. 

To evade detection, it uses anti-debugging techniques, process hiding, and obfuscation, modifies system settings, and disables security features to hinder analysis. 

Legitimate tools like PsExec and PAExec propagate laterally within a network, generating self-extracting payloads using IExpress and executing them on compromised hosts. 

To elevate privileges, it employs various UAC bypass techniques and exploits, including CVE-2024-26229 and CVE-2021-31969, which also modify firewall rules and add exclusions to evade detection. 

The malware’s modular design and use of legitimate tools make it resilient and difficult to detect, while the TOR network for anonymous communication initially uses a legitimate onion domain to establish a secure channel. 

It then injects malicious code into a system process, using techniques like process hollowing and APC injection, which downloads and executes a payload and is encrypted and obfuscated to evade detection. 

According to Zscaler, it collects extensive system information, including network details, hardware specifications, and software installations, and sends it to a C2 server by modifying the initial executable file to generate a unique identifier for the infected host.

Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free

Aman Mishra

Recent Posts

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 hours ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 hours ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

3 hours ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

8 hours ago

DOJ Asks Google to Sell $20 Billion Worth Chrome to End Monopoly

In a dramatic escalation of its antitrust lawsuit against Google, the U.S. Department of Justice…

9 hours ago

US Seizes PopeyeTools Cybercrime Platform & Arrested Admins

The U.S. Department of Justice (DOJ) announced the seizure of the illicit PopeyeTools platform, a…

11 hours ago