CTI Roundup: Raspberry Robin, USB Malware Update, and Ransomware Victims on the Rise

In this week’s roundup, CTI provides an update on the Raspberry Robin worm, which continues to evolve and exploit vulnerabilities. Next up, CTI investigates a financially motivated threat actor tracked as UNC4990 which has been observed using USB devices for initial access in various campaigns. Finally, CTI looks at Palo Alto’s latest ransomware retrospective for 2023.

1. Raspberry Robin malware exploits vulnerabilities

Check Point Research has observed the Raspberry Robin worm leveraging two new 1-day local privilege escalation exploits before they were publicly disclosed.

Besides exploiting vulnerabilities, Raspberry Robin has also changed many of its TTPs to avoid being caught by behavioral signatures based on its previous version.

What is Raspberry Robin?

• Raspberry Robin is a worm that is typically spread via USB drives. The malware relies on msiexec.exe to reach out to its infrastructure and download a malicious DLL.
• Raspberry Robin was first discovered in 2021 and its TTPs have been evolving ever since. It acts as an IAB, or initial access broker, to other malware families across the ecosystem. Because of this, many different threat groups have been associated with Raspberry Robin.
• Check Point Research has been observing large waves of Raspberry Robin attacks against their customers since October. The most significant observation is the malware’s continued use of various exploits for vulnerabilities either before or shortly after they are publicly disclosed.
• In previous Raspberry Robin attacks, the malware used several different initial access vectors, with the most common being an LNK disguised as a USB or network share.

How Raspberry Robin exploits vulnerabilities

Raspberry Robin has many ways to escalate privileges, one of which is the use of kernel local privilege escalation exploits. These exploits are encrypted and stored and are only leveraged if the device is vulnerable to those exploits. In more recent samples the malware injects the kernel exploits into cleanmgr.exe and inserts a unique loader that resides in memory and loads an external PE that is actually the exploit.

The malware recently exploited CVE-2023-36802 which is a vulnerability within the Microsoft Streaming Service Proxy that allows for escalated privileges to SYSTEM. The exploit for this vulnerability was observed being sold on Dark Web forums in February 2023 but was not publicly disclosed and patched until September 2023. Just a few weeks later, Raspberry Robin began using the exploit in its attacks.

Latest updates to Raspberry Robin

The general flow of Raspberry Robin has remained mostly unchanged. Multiple stages of the malware are stored in memory in a custom format and the code is heavily obfuscated in all stages including the payload itself. The malware has added some new anti-analysis methods that are used to determine if it should get the main stage or not in various stages.

The malware has also added some new evasion capabilities:

• The first technique is a shutdown evasion technique that ensures the malware is not stopped when a system shutdown occurs.
• The next is a remote desktop check that will simply check if the victim is on a remote desktop or not.
• The last is the ability to stop running in case of a UWF filter driver.

The malware changed its lateral movement logic just slightly, pivoting to use PAExec.exe instead of PsExec.exe.

Lastly, Raspberry Robin’s communication method has changed. It now will begin to contact legitimate tor domains and check to see if it gets a response or not. If it does not get a response, it will not try to communicate with the real C2 servers.

Analyst comments from Tanium’s Cyber Threat Intelligence team

We first covered Raspberry Robin in January 2023. It has since remained a prominent threat over the last year or so, partly due to its ability to evolve and change its TTPs rapidly.

Raspberry Robin has been quick to rotate and pivot to different exploits, especially those that have either not yet been publicly disclosed or those that were disclosed recently.

It’s still up for debate as to how they can continually get their hands on these exploits. It could be that they have developed the exploits themselves or simply have connections to those who develop the exploits. Either way, Raspberry Robin has continually proved its adaptability.

2. Hackers use news and media hosting sites to spread USB malware payloads

A financially motivated threat actor tracked as UNC4990 has been observed in campaigns using USB devices for initial access.

The threat actor abuses legitimate platforms like GitHub, Vimeo, and Ars Technica to host encoded payloads embedded in benign content. The threat actor also hides payloads in plain sight by placing them in forum user profiles on tech news websites or in video descriptions on media hosting platforms.

What is UNC4990?

UNC4990 has been tracked by Mandiant as an actor that primarily leverages USB devices for initial access.

The threat actor has recently engaged in a campaign that is believed to have been ongoing since at least 2020. In addition to relying on USB devices for initial access, the actor is continually evolving their TTPs, moving now towards hosting payloads on popular and legitimate platforms.

Initial access

As noted, this threat actor begins with USB devices for initial access. Mandiant observed the infection beginning when a victim double-clicked on a malicious LNK shortcut file on a removable USB device.

The name of this LNK file was typically the name of the vendor of the device with the storage size in brackets. This name was paired with the icon of the Microsoft Windows default icon to look more legitimate. Clicking the file launches the PowerShell script explorer.ps1.

About the PowerShell script

Researchers identified multiple iterations of this PowerShell script. This script is responsible for downloading and decoding an additional payload, which was often the EMPTYSPACE downloader.

In some variants, the script was updated with an intermediary stage hosted on GitHub. Recent variants of the PowerShell script were loaded into memory as a reverse Base64 encoded string.

Once the EMPTYSPACE downloader has been downloaded, the PowerShell script will check in a loop for the existence of python.exe and will execute the newly downloaded malware every second if python.exe is not present.

UNC4990 pivots to legitimate platforms

The threat actor pivoted from GitHub to Vimeo for its payload hosting at some point in 2023. With Vimeo, the encoded payload is included in the description of a Pink Floyd video that was uploaded to Vimeo in March of 2023. The script fetches the Vimeo JSON blob that contains the payload between certain delimiter characters. This payload is then decrypted before being executed.

In November 2023, the threat actor pivoted again related to its C2. Once the Vimeo video was formally taken down, the threat actor started using the tech news site known as Ars Technica.

The script, explorer.ps1, was updated to include a hard-coded URL to an Ars Technica site. The same technique was used with Ars Technica as was used with Vimeo, with the main difference being that the encoded blob was instead appended to the image URL within the “about” section of a specific user profile.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This campaign is another example of how threat actors are looking for new methods to evade detection and operate under the radar.

This campaign specifically makes use of legitimate platforms like GitHub, Vimeo, and tech news sites that would not typically raise suspicion if a user visited. The technique of embedding payloads within legitimate sites and content can allow a threat actor to blend in with legitimate traffic and make it difficult to detect.

Because Mandiant observed this campaign evolving over several months, it would be unsurprising to see this threat actor continue to evolve its TTPs in the near future.

3. Palo Alto reports a 49% increase in ransomware victims

Palo Alto has released its ransomware retrospective for 2023. The key takeaway is there was a 49% increase in ransomware victims last year, as reported by ransomware leak sites.

Critical vulnerabilities

Palo Alto identified 3,998 posts on ransom leak sites compared to only 2,679 in 2022 (a 49% increase).

They attribute this significant increase to the many zero-day exploits that were uncovered throughout the year. Some of the top contributors include the GoAnywhere vulnerability and the MOVEit vulnerability.

Ransomware newcomers

Palo Alto identified 25 new leak sites in 2023 including:

1. 8Base
2. Abyss
3. Akira
4. BlackSuit
5. Cactus
6. CiphBit
7. Cloak
8. CrossLock
9. CryptNet
10. Cyclops
11. DarkRace
12. Hunters International
13. INC
14. Knight
15. LostTrust
16. NoEscape
17. Meow
18. Money Message
19. RA Group
20. Rancoz
21. Rasomed.Vc
22. Rhysida
23. ThreeAM
24. Trigona
25. U-bomb

Of these 25 newcomers, at least five of them did not appear to have any posts in the second half of 2023 and roughly 12 of them did not appear at all until the second half of the year. These ransomware newcomers contributed to about 25% of the total ransomware posts from 2023.

Ceased activity

Several ransomware operations seemingly ceased activity sometime in 2023. The reason for the ceased activity was sometimes due to law enforcement takedowns, the seizure of infrastructure, and the arrests of key individuals.

Some of the groups that appeared to stop operating sometime during 2023 include Hive, Ragnar Locker, Ransomed.Vc, and Trigona.

Statistics

• LockBit was found to be the most active group for 2023, accounting for about 23% of the total leak site posts.
• LockBit was followed by BlackCat at 9.7% and CL0P at 9.1%.
• On average, there were about 77 posts per week throughout the year, with the top month being July due to the MOVEit vulnerability.
• The manufacturing industry was the most targeted sector in 2023 with 14% of total posts. This was followed by the professional and legal sectors and then by the technology sector.
• The U.S. was the top targeted geographic region, accounting for about 47% of posts.

Analyst comments from Tanium’s Cyber Threat Intelligence team

There is a lot to unpack from Palo Alto’s analysis. The overarching theme is that ransomware is continuing to trend upward — even as ransomware groups come and go.

An important piece of their research is how much the ransomware landscape was impacted by zero-day exploits and the targeting of critical vulnerabilities. This data point is interesting because the impact of a vulnerability spans much wider than just ransomware attacks, but we can now understand just how much of an impact it has on one aspect of the cyber threat landscape.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.