Raspberry Robin

Malware Profile Updated 9 days ago
Download STIX
Preview STIX
Raspberry Robin is a sophisticated malware that has been designed to exploit and damage computer systems. This malicious software infiltrates the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded, Raspberry Robin can steal personal information, disrupt operations, or even hold data hostage for ransom. It utilizes the CPUID instruction for several checks, and employs a unique method involving flags to perform certain tasks, demonstrating its advanced capabilities. In October 2023, Raspberry Robin began exploiting CVE-2023-36802, an identified vulnerability. This marked a significant evolution in the malware's attack strategy, as it indicated the use of known exploits to further its reach and effectiveness. Furthermore, the malware was observed using different strategies at various execution stages, highlighting its dynamic and adaptable nature. Most notably, Raspberry Robin was spotted using two new 1-day Local Privilege Escalation (LPE) exploits, as reported by Security Affairs. This development underscores the speed and agility of the operators behind Raspberry Robin, who are known for their ability to quickly exploit n-day vulnerabilities, particularly those affecting Windows systems. According to Ravisankar Ramprasad, a threat researcher at Menlo Security, this rapid exploitation of vulnerabilities is a signature trait of the Raspberry Robin operators, making them a formidable threat in the cybersecurity landscape.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Evil Corp
2
Evil Corp, a threat actor group based in Russia, has been identified as a significant cybercrime entity responsible for the execution of malicious actions. The alleged leader of this group is Maksim Yakubets, who is notably associated with Dridex malware operations. The U.S. Treasury imposed sanctio
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Worm
Exploit
Windows
Exploits
Payload
Vulnerability
Loader
Github
Downloader
Sandbox
Antivirus
Cobalt Strike
RaaS
Zero Day
Malware Loader
Cybercrime
Trojan
Poc
Known Exploi...
Malware Drop...
Manufacturing
T1091
Evasive
Lateral Move...
Papercut
Mft
Microsoft
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SocgholishUnspecified
3
SocGholish is a malicious software (malware) known for its ability to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. Notably, in 2023, several distinct website malware campaigns were identified to serve SocGholish malw
LockbitUnspecified
3
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
TruebotUnspecified
3
Truebot is a highly potent malware used by the threat actor group CL0P, which has been linked to various malicious activities aimed at exploiting and damaging computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded,
ClopUnspecified
3
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
Stately TaurusUnspecified
2
Stately Taurus, also known as Mustang Panda, Bronze President, Red Delta, LuminousMoth, Earth Preta, and Camaro Dragon, is a potent malware linked to Chinese Advanced Persistent Threat (APT) activities. The first signs of its operation date back to at least 2012, with notable activity traced to Marc
QbotUnspecified
2
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
IcedIDUnspecified
2
IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
BumblebeeUnspecified
2
Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
QakBotUnspecified
2
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
PinkslipbotUnspecified
1
Pinkslipbot, also known as Qakbot, QBot or QuackBot, is a modular information-stealing malware that has been active since 2008. Initially emerging in 2007 as a banking trojan, it targeted financial institutions to steal sensitive data. Over the years, however, its functionality evolved and diversifi
GootloaderUnspecified
1
GootLoader is a potent malware that forms part of the GootKit malware family, which has been active since 2014. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Its primary targets are professionals working in law firms
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lace TempestUnspecified
2
Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi
TA505Unspecified
2
TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
Camaro DragonUnspecified
2
Camaro Dragon, a Chinese state-sponsored threat actor, has been identified as the source of several cyber attacks on European foreign affairs entities. Checkpoint Research has discovered and analyzed a custom firmware image affiliated with Camaro Dragon, which contained multiple malicious components
GamaredonUnspecified
2
Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been actively tracked since 2013 and is recognized as a significant threat actor in the cybersecurity landscape. Its primary target is Ukraine, against which it deploys an array of home-brewed malware through malicious documents. The E
Aqua BlizzardUnspecified
2
Aqua Blizzard, previously known as ACTINIUM, is a significant threat actor originating from Russia. Recently, Microsoft revamped its naming convention for threat groups, transitioning from all-cap names based on atomic elements to a two-name scheme inspired by storm terminology. Aqua Blizzard has be
Dev-0950Unspecified
1
Lace Tempest, also known as DEV-0950 or TA-505, is a threat actor associated with the deployment of Clop ransomware. This group has been noted for its use of GoAnywhere exploits and Raspberry Robin infection hand-offs in past ransomware campaigns. Microsoft has attributed recent attacks exploiting t
fin11Unspecified
1
FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after ste
cl0p groupUnspecified
1
The Cl0p group, a threat actor in the cybersecurity landscape, has been responsible for a significant surge in ransomware attacks. This group notably exploited a previously unknown SQL injection (SQLi) vulnerability in MOVEit's file-transfer application to steal data from companies. In 2023, they br
Whisper SpiderUnspecified
1
Whisper Spider, also known as Silence, is a financially motivated threat actor that has been linked to multiple dangerous groups including Evil Corp. This entity has primarily targeted financial institutions in various countries such as Ukraine, Russia, Azerbaijan, Poland, and Kazakhstan. As a threa
Primitive BearUnspecified
1
Primitive Bear, also known as Gamaredon, UAC-0010, and Shuckworm, is a threat actor associated with Russia that has been actively targeting Ukraine for over a decade. This group has primarily focused on organizations within government, defense, and critical infrastructure sectors. Since our update i
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-29360Unspecified
3
None
CVE-2022-31199Unspecified
2
CVE-2022-31199 is a critical remote code execution (RCE) vulnerability discovered in Netwrix Auditor, a widely-used software for on-premises and cloud-based IT system auditing. This flaw in the software's design or implementation allows cyber threat actors to exploit it and gain unauthorized access
CVE-2023-27350Unspecified
1
CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter
CVE-2023-27351Unspecified
1
None
CVE-2021-1732Unspecified
1
CVE-2021-1732 is a software vulnerability, specifically a flaw in the design or implementation of Microsoft's Windows 10 systems. This vulnerability exposes the system to an elevation of privilege threat, where an attacker could potentially gain higher-level permissions on the system and carry out m
CVE-2023-36802Unspecified
1
CVE-2023-36802 is a significant software vulnerability that was identified in the Microsoft Streaming Service Proxy, specifically within Microsoft Stream's streaming service proxy (formerly known as Office 365 Video). This flaw, characterized as an Elevation of Privilege Vulnerability, allows a loca
Source Document References
Information about the Raspberry Robin Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
2 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
2 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
9 days ago
Security Affairs Malware Newsletter - Round 2
Securityaffairs
16 days ago
Security Affairs Malware Newsletter - Round 1
Securityaffairs
23 days ago
Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
2 months ago
Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity
3 months ago
Raspberry Robin Morphs, Now Spreads via Windows Script Files
InfoSecurity-magazine
3 months ago
Raspberry Robin Distributed Through Windows Script Files
Securityaffairs
4 months ago
Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 464 by Pierluigi Paganini
CERT-EU
4 months ago
Cybersecurity threats escalate | SC Media | #ransomware | #cybercrime | National Cyber Security Consulting
Securityaffairs
4 months ago
Security Affairs newsletter Round 463 by Pierluigi Paganini
CERT-EU
4 months ago
Cloud Account Attacks Surged 16-Fold in 2023
DARKReading
4 months ago
'Magnet Goblin' Exploits Ivanti 1-Day Bug in Mere Hours