Raspberry Robin Malware Targets Windows Systems via New CLFS Driver Exploit

The Raspberry Robin malware, also known as Roshtyak, has undergone substantial updates that enhance its evasion and persistence on Windows systems.

Active since 2021 and primarily disseminated through infected USB devices, this sophisticated downloader has integrated advanced obfuscation techniques to thwart reverse-engineering efforts.

Encryption Tactics

Researchers at Zscaler’s ThreatLabz have observed the addition of multiple initialization loops within functions featuring flattened control flow, which introduces redundant junk code and complicates brute-force decryption attempts.

This modification renders traditional analysis methods less efficient, as the loops obfuscate the core logic by inflating the computational overhead required for key recovery.

Furthermore, the malware now employs obfuscated stack pointers that disrupt decompilation tools like IDA Pro, often resulting in failed function reconstructions unless analysts manually adjust the stack frames.

Conditional statements have also been obfuscated, embedding complex logic that masks decision-making processes and hinders static code analysis, thereby prolonging the time needed to unravel the malware’s behavior.

Shifting from its previous AES-CTR encryption for network communications, Raspberry Robin has adopted the ChaCha-20 algorithm, utilizing a hardcoded 32-byte key while generating random counter and nonce values per request.

These elements are prepended to the encrypted payload in a structured format, including fields for nonce parts and counters, ensuring variability and resistance to pattern-based detection.

The RC4 key mechanism has been refined, with an 8-byte random seed now appended rather than prepended, and hardcoded key segments varying across samples and campaigns.

Additionally, the CRC-64 checksum algorithm retains its structure but incorporates randomized initial values, further customizing each instance to evade signature-based defenses.

Integration of Privilege Escalation

A critical development in Raspberry Robin’s arsenal is the incorporation of a new local privilege escalation (LPE) exploit targeting CVE-2024-38196, a vulnerability in the Windows Common Log File System (CLFS) driver.

This exploit allows the malware to elevate privileges on compromised systems, enabling deeper entrenchment and access to sensitive resources without relying on user interaction.

By exploiting this flaw, Raspberry Robin can bypass standard security controls, facilitating the deployment of secondary payloads in elevated contexts.

Complementing this, the malware embeds intentionally corrupted TOR onion domains for command-and-control (C2) servers, which are dynamically corrected via a hardcoded algorithm that varies per sample or campaign.

This approach not only obfuscates IOC extraction but also complicates network forensics, as analysts must reverse-engineer the correction logic to identify active C2 endpoints.

Additional refinements include the introduction of expiration dates in the binary, limiting execution to a one-week window per sample, which minimizes exposure to prolonged analysis.

Inter-module communication, such as between the core and TOR components, now uses variable memory mappings with randomized offsets, adding another layer of unpredictability.

These evolutions, implemented shortly after prior disclosures, underscore Raspberry Robin’s adaptive nature, making it a persistent threat despite limited public scrutiny.

Zscaler’s cloud security platform provides robust detection through sandboxing and threat naming like Win32.Worm.RaspberryRobin, highlighting indicators across multiple layers.

As Raspberry Robin continues to refine its techniques, security teams must prioritize dynamic analysis and behavioral monitoring to counter this evolving downloader.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!