Updated Raspberry Robin malware emerges

Several updates have been introduced to the Raspberry Robin malware, also known as QNAP worm, including its usage of two new exploits for one-day vulnerabilities, tracked as CVE-2023-36802 and CVE-2023-29360, reports The Hacker News. Both exploits may have been purchased by Raspberry Robin operators Storm-0856 due to the lack of obfuscation relative to the core module of the malware and their utilization as an external 64-bit executable, according to a Check Point report. Aside from the new exploits, attackers have begun using malicious files on Discord to spread the malware, said researchers, who noted that new Raspberry Robin variants have also been leveraging PAExec.exe for lateral movement logic rather than PSExec.exe. Newer Raspberry Robin versions have also been establishing communications with command-and-control servers only when they receive a response from Tor domains. "Raspberry Robin's ability to quickly incorporate newly disclosed exploits into its arsenal further demonstrates a significant threat level, exploiting vulnerabilities before many organizations have applied patches," said Check Point.