Tracking Updates to Raspberry Robin

SUMMARY :

Raspberry Robin, an advanced malware downloader active since 2021, has undergone significant updates. The malware now employs improved obfuscation methods, including multiple initialization loops and obfuscated stack pointers, making analysis more challenging. It has switched from AES-CTR to ChaCha-20 for network encryption and introduced a new local privilege escalation exploit (CVE-2024-38196). The malware embeds invalid TOR onion domains as C2 servers and includes a dynamic correction algorithm. Additional updates include expiration dates in the binary code and varied memory mapping for inter-module communication. These enhancements demonstrate Raspberry Robin's continued evolution and its developers' efforts to evade detection and hinder reverse-engineering.

OPENCTI LABELS :

downloader,obfuscation,evasion,tor,encryption,raspberry robin,privilege-escalation,roshtyak,cve-2024-38196,usb-spread


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Tracking Updates to Raspberry Robin