The Raspberry Robin worm has been discovered to be accelerating the incorporation of one-day exploits almost immediately after they are developed, with the aim of enhancing its ability to escalate privileges more effectively. According to researchers from Check Point, the group behind the initial access tool is believed to be collaborating with Dark Web exploit traffickers, allowing them to rapidly integrate new exploits for obtaining system-level privileges before these vulnerabilities are made public.
Eli Smadja, group manager for Check Point, described Raspberry Robin as “a very powerful piece of the program that gives the attacker much more ability in terms of evasion, and performing higher-privileged actions than they could in any other scenario.”
Initially discovered in 2021 and publicly disclosed in the following year, Raspberry Robin has significantly increased its speed of upgrading, with the developers now incorporating exploits in a fraction of the time it previously took them. An example of this is the integration of an exploit for CVE-2021-1732, a privilege escalation vulnerability with a high 7.8 out of 10 score on the CVSS scale. This bug was disclosed in February 2021 and was only added to Raspberry Robin the following year. In contrast, the worm quickly exploited CVE-2023-29360, a high 8.4 out of 10 bug in Microsoft Stream’s streaming service proxy, by August – well before a public exploit was released.
Another notable instance was the exploitation of CVE-2023-36802, a bug in Microsoft Stream, which was exploited by Raspberry Robin by early October, even before a public exploit was available. The speed at which the group weaponizes vulnerabilities after disclosure has reduced from one year, to two months, and now to two weeks.
Check Point suggests that the worm developers are either acquiring exploits from Dark Web developers or developing them themselves, with indications pointing to the former scenario being more likely. In its first year of activity, Raspberry Robin became one of the world’s most popular worms, infecting thousands of endpoints every month. The worm is now a preferred initial access option for threat actors like Evil Corp and TA505, contributing to major breaches of public and private sector organizations.
Eli Smadja mentioned that most top malwares listed today are using worms to spread in networks because it’s very helpful. The utilization of tools like Raspberry Robin will likely continue due to their ongoing improvements, use of new zero-days and one-days, and enhanced evasion techniques. Smadja added that these factors make it an “amazing service for an attacker” and speculated it will never disappear.
In summary, the Raspberry Robin worm has emerged as a significant initial access cyber threat, with its rapid integration of one-day exploits and continuous improvements contributing to its effectiveness as a tool for threat actors. The worm’s increasing capabilities in obtaining system-level privileges pose a significant risk to organizations and underline the importance of proactive measures to safeguard against such threats.