Select Page

A new analysis of Raspberry Robin’s attack infrastructure has revealed that it’s possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat.

Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is a malware that has increasingly come under the radar for being used in attacks aimed at finance, government, insurance, and telecom entities.

Given its use by multiple threat actors to drop a wide range of payloads such as SocGholishBumblebeeTrueBotIcedID, and LockBit ransomware, it’s believed to be a pay-per-install (PPI) botnet capable of serving next-stage malware.

Raspberry Robin, notably, employs infected USB drives as a propagation mechanism and leverages breached QNAP network-attached storage (NAS) devices as first-level command-and-control (C2).

Cybersecurity firm SEKOIA said it was able to identify at least eight virtual private servers (VPSs) hosted on Linode that function as a second C2 layer that likely act as forward proxies to the next as-yet-unknown tier.

images from Hacker News