February 9^th – The malware family identified as Raspberry Robin is back, with new and innovative methods that facilitate higher levels of unauthorized privilege access than previously.

According to Check Point Researchers, Raspberry Robin has introduced two new 1-day Local Privilege Escalation (LPE) exploits, indicating either access to a dedicated exploit developer or a high level of potential for rapid exploit development.

“Raspberry Robin’s ability to quickly incorporate newly disclosed exploits into its arsenal further demonstrates a significant threat level, exploiting vulnerabilities before many organizations have applied patches,” Check Point noted.

Malware LPEs

The first of the new exploits that the malware uses to gain higher privileges on infected systems takes advantage of a bug in the win32k window object. This allows the malware to write data outside of intended boundaries. Raspberry Robin only uses this exploit on Windows 7 systems.

From a technical vantage point, the second exploit is similar to the first. However, it targets Windows 10 systems with specific build numbers and assesses whether or not a particular patch is present. This exploit was used in the past by the Bitter Apt group, as a zero-day.

Malware transformation

Cyber criminals have not only made changes to Raspberry Robin’s attack mechanisms, but they have also altered its distribution methods. Previously, the malware was reliant on USB drives for propagation. Now, it can utilize Discord as a distribution vehicle.

The Check Point team explained that the malware consistently updates its features and evasion techniques in order to evade security systems.

“The malware’s communication and lateral movement strategies have been refined to evade traditional security detection, highlighting its developers’ focus on stealth and evasion,” wrote researchers.

Proactive measures

Researchers have cautioned that proactive measures are critical in addressing this threat to avoid encountering its effects. Cyber security leaders should ensure that:

• Appropriate updates have been made to software and systems
• Employees have training on cyber security best practices
• Robust access controls have been implemented
• They remain informed about emerging threats and mitigation techniques

For more information about Raspberry Robin, click here.