.webp?w=696&resize=696,0&ssl=1 "Raspberry Robin")
In a significant development, cybersecurity firm Silent Push has identified nearly 200 unique command and control (C2) domains associated with the Raspberry Robin malware.
This discovery sheds new light on the infrastructure used by this sophisticated threat actor group, which has evolved from a USB worm to a formidable initial access broker (IAB) for various cybercriminal entities, including Russian state-sponsored actors.
Collaboration Reveals Complex Network
Silent Push’s research, conducted in partnership with Team Cymru, has mapped out Raspberry Robin’s C2 infrastructure, revealing a singular IP address that connects the entire network of compromised devices.
This finding is crucial for understanding the group’s operations and potential vulnerabilities in their communication chain.
The threat actor group, also known as Roshtyak or Storm-0856, has been active since 2019 and has significantly transformed its tactics.
Initially spreading through infected USB drives in print and copy shops, Raspberry Robin now targets hardened corporate networks, selling access to other threat groups, including the Russian GRU’s Unit 29155.
Evolving Attack Methodologies and Global Reach
Raspberry Robin’s attack methods have diversified over time.
Recent observations include the use of archive files distributed via Discord attachments, web downloads of Windows Script Files, and the exploitation of N-day vulnerabilities in QNAP and IoT devices.
This adaptability has allowed the group to maintain a global presence, with victims reported across various industries and countries.
The group’s infrastructure relies heavily on compromised QNAP and IoT devices, utilizing a network of lower-reputation two-letter top-level domains (TLDs) and multiple niche registrars.
%20for%20Raspberry%20Robin.webp)
This approach, combined with the use of Tor for communication, presents significant challenges for defenders and law enforcement agencies attempting to disrupt their operations.
Silent Push’s research highlights the importance of collaborative efforts in tracking and mitigating threats like Raspberry Robin.
As the group continues to evolve and provide services to various threat actors, including state-sponsored entities, the cybersecurity community must remain vigilant and share intelligence to combat this persistent threat effectively.
Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.
.webp?w=1200&resize=1200,0&ssl=1&description=In a significant development, cybersecurity firm Silent Push has identified nearly 200 unique command and control (C2) domains.){kind=link}