Raspberry Robin: Latest Updates and Improvements

SUMMARY :

Raspberry Robin, a malicious downloader active since 2021, has undergone significant updates. It now employs improved obfuscation methods, including multiple initialization loops and flattened control flow, making brute-force decryption less effective. The network encryption algorithm has shifted from AES-CTR to ChaCha-20. A new local privilege escalation exploit (CVE-2024-38196) has been added to gain elevated privileges on targeted systems. The malware now embeds invalid command-and-control server domains using TOR onion addresses, complicating the extraction of Indicators of Compromise. Certain values, such as the RC4 key seed, are randomized per sample or campaign. Despite limited public attention, Raspberry Robin remains a significant threat due to its continuous improvements and evasion tactics.

OPENCTI LABELS :

usb,downloader,obfuscation,tor,encryption,raspberry robin,privilege-escalation,roshtyak,cve-2024-38196


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Raspberry Robin: Latest Updates and Improvements