More than 180 unique command-and-control domains have been leveraged in attacks by the Raspberry Robin threat operation, also known as Storm-0856 and Roshtyak, indicating its evolution from a Windows worm to an initial access broker, The Hacker News reports.
Despite having been utilized to facilitate the deployment of numerous malware strains since 2019, Raspberry Robin was only recently improved to include archive- and Windows Script File-based downloads in its attack chains, as well as a USB-based distribution mechanism, an analysis from Silent Push and Team Cymru showed. Aside from using a single IP address to connect all of the QNAP devices it had compromised, Raspberry Robin also had brief C2 domains that are being quickly rotated through the fast flux approach. "Raspberry Robin's use by Russian government threat actors aligns with its history of working with countless other serious threat actors, many of whom have connections to Russia. These include LockBit, Dridex, SocGholish, DEV-0206, Evil Corp (DEV-0243), Fauppod, FIN11, Clop Gang, and Lace Tempest (TA505)," said the report.
