Actors relying on Raspberry Robin malware have been observed employing unique evasion techniques to avoid detection.
Security researchers at Check Point Research (CPR) released a new advisory on Tuesday, outlining the capabilities of the new malware and how defenders can protect their systems against them.
CPR security researcher Shavit Yosef wrote: “This study aims to show many ways, along with explanations of how they work and how to avoid them.”
Raspberry Robin Malware Details: Clop, Raspberry Robin Worm Actor Linked to LockBit Ransomware Group
Some of the new methods Raspberry Robin uses are related to its ability to avoid running in virtual machines (VMs), which security researchers often use to analyze malware. This makes it difficult for defenders to research the tool. Technical details on defending against them are available in the advisory.
Raspberry Robin has also added other evasion techniques during many stages of its operation. CPR analyzed two of his new exploits that the malware used to gain elevated privileges on infected systems.
The first (CVE-2020-1054) takes advantage of a bug in the win32k window object that allows data to be written outside its intended bounds. This exploit is only used by Raspberry Robin on Windows 7 systems.
The second exploit (CVE-2021-1732) is similar from a technical point of view, but targets Windows 10 systems with specific build numbers and checks for the presence of specific patches. Yosef writes that this exploit has been used as a zero-day by the Bitter APT group in the past.
“Raspberry Robin also implements other cool tricks and exploits, demonstrating its competence in the exploit space,” added the security researcher. “Unfortunately, the world of avoidance is getting harder and more creative. Buckle up and hope someone has encountered this avoidance before you.”
