The Raspberry Robin worm is incorporating one-day exploits almost as soon as they’re developed, in order to improve on its privilege escalation capabilities.
Researchers from Check Point suspect that the developers behind the initial access tool are contracting with Dark Web exploit traffickers, allowing them to quickly incorporate new exploits for obtaining system-level privileges before such exploits are disclosed to the public, and before many affected organizations have gotten around to patching their associated vulnerabilities.
“It’s a very powerful piece of the program that gives the attacker much more ability in terms of evasion, and performing higher-privileged actions than they could in any other scenario,” explains Eli Smadja, group manager for Check Point.
Raspberry Robin: Incorporating Exploits Faster Now
Raspberry Robin was first discovered in 2021, and outed in a Red Canary blog post the following year. In the time since, its developers have become much more proactive, upgrading their tool in a fraction of the time they used to take.
Consider, for example, an early upgrade: when it incorporated an exploit for CVE-2021-1732, a privilege escalation vulnerability with a “high” 7.8 out of 10 score on the CVSS scale. The Win32k Windows driver bug was first disclosed in February of 2021, but it was only integrated into Raspberry Robin the following year.
Contrast that with another privilege escalation vulnerability from this past June: CVE-2023-29360, a “high” 8.4 out of 10 bug in Microsoft Stream’s streaming service proxy. Raspberry Robin was already exploiting it by August, while a public exploit wouldn’t come to light until the following month.
Then there was CVE-2023-36802, a similar bug in Microsoft Stream with a 7.8 CVSS rating. First disclosed on September 12, it was being exploited by Raspberry Robin by early October, again before any public exploit was released (the developers don’t deserve too much credit in this case, as an exploit had been available on the Dark Web since February.)
In other words, the progression of the time the group takes to weaponize vulnerabilities after disclosure has gone from one year, to two months, to two weeks.
To explain their quick work, Check Point suggests that the worm developers are either purchasing their exploits from one-day developers on the Dark Web, or developing them themselves. Certain misalignments between the worm and exploit codes suggest that the former scenario is more likely.
A Widespread, Effective Initial Access Cyber Threat
In only its first year active, Raspberry Robin was already one of the world’s most popular worms, with thousands of infections per month. Red Canary tracked it as the seventh most prevalent threat of 2022, with its numbers only growing month-over-month.
Nowadays, Raspberry Robin is a popular initial access option for threat actors like Evil Corp, TA505, and more, contributing to major breaches of public and private sector organizations.
“Most top malwares listed today are using worms to spread in networks because it’s very helpful — it saves a lot of hard work of developing these capabilities yourself,” Smadja explains. “For example, initial access to a system, bypassing security, and command-and-control infrastructure — you just need to buy it, combine it, and it makes your job much easier.”
This is especially true, he adds, “because tools like Raspberry Robin keep improving, using new zero-days and one-days, improving their infrastructure, and their evasion techniques. So I think it will never disappear. It’s an amazing service for an attacker.”
