Raspberry Robin Malware Downloader Attacking Windows Systems With New Exploit for Common Log File System Driver Vulnerability

The cybersecurity landscape faces a persistent threat as Raspberry Robin, a sophisticated malware downloader also known as Roshtyak, continues its campaign against Windows systems with enhanced capabilities and evasion techniques.

First identified in 2021, this USB-propagated malware has demonstrated remarkable resilience and adaptability, primarily targeting enterprise environments through infected removable storage devices.

Raspberry Robin’s infection vector remains consistent with its original deployment strategy, leveraging compromised USB devices to infiltrate target networks.

Once executed, the malware establishes persistence and attempts to communicate with command-and-control infrastructure through TOR networks.

The malware’s operators have consistently refined their approach, implementing sophisticated obfuscation methods that challenge traditional detection mechanisms and complicate reverse engineering efforts.

Zscaler researchers identified significant evolutionary changes in Raspberry Robin’s architecture, particularly noting the integration of CVE-2024-38196, a local privilege escalation exploit targeting the Common Log File System driver vulnerability.

This critical addition enables the malware to elevate its privileges on compromised systems, potentially granting administrator-level access for deeper system infiltration.

The malware’s communication infrastructure has undergone substantial modifications, transitioning from AES-CTR encryption to the more robust ChaCha-20 algorithm for network data protection.

This encryption change, combined with randomly generated counter and nonce values per request, significantly enhances the malware’s ability to evade network-based detection systems.

Advanced Obfuscation and Persistence Mechanisms

The latest Raspberry Robin variants incorporate sophisticated obfuscation techniques designed to frustrate analysis efforts.

The malware now implements multiple initialization loops within functions featuring flattened control flow, effectively neutralizing brute-force decryption attempts that were previously successful against earlier versions.

struct encryptionInfo
{
    uint32_t nonce_part2;
    uint32_t nonce_part3;
    uint32_t counter;
    uint32_t nonce_part1;
};

Additionally, the malware employs obfuscated stack pointers and conditional statements, disrupting standard decompilation processes and requiring manual intervention from security analysts for proper analysis.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches