Financial and insurance sectors in Europe have been targeted by the Raspberry Robin worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar.
“What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble,” Security Joes said in a new report published Monday.
The intrusions, observed against Spanish and Portuguese-speaking organizations, are notable for collecting more victim machine data than previously documented, with the malware now exhibiting sophisticated techniques to resist analysis.
Raspberry Robin, also called QNAP worm, is being used by several threat actors as a means to gain a foothold into target networks. Spread via infected USB drives and other methods, the framework has been recently put to use in attacks aimed at telecom and government sectors.
Microsoft is tracking the operators of Raspberry Robin under the moniker DEV-0856.
Security Joes’ forensic investigation into one such attack has revealed the use of a 7-Zip file, which is downloaded from the victim’s browser via social engineering and contains an MSI installer file designed to drop multiple modules.
images from Hacker News