Raspberry Robin Adopts Unique Evasion Techniques

Written by

Threat actors relying on the Raspberry Robin malware have been observed adopting unique evasion techniques to avoid detection.

Security researchers at Check Point Research (CPR) published a new advisory on Tuesday describing the novel malware features and how defenders can guard systems against them.

“Anti-debugging and other evasions can be exhausting, and even more so when it comes to such obfuscation methods and volume of methods as Raspberry Robin implements,” wrote CPR security researcher Shavit Yosef. “This research aims to show plenty of methods with explanations of how they work and how to evade those evasions.”

Read more on the Raspberry Robin malware: Raspberry Robin Worm Actors Linked to Clop, LockBit Ransomware Groups

Several of the new methods Raspberry Robin uses are related to its ability to avoid being run on virtual machines (VMs), which security researchers often use to analyze malware. This makes it harder for defenders to study the tool. Technical details to defend against them are available in the advisory.

Raspberry Robin also added other evasion techniques at many stages of its operation. CPR analyzed two new exploits the malware used to gain higher privileges on infected systems. 

The first of them (CVE-2020-1054) takes advantage of a bug in the win32k window object, allowing it to write data outside of its intended boundaries. The exploit is only used by Raspberry Robin on Windows 7 systems.

The second exploit (CVE-2021-1732) is similar from a technical standpoint but targets Windows 10 systems with specific build numbers and checks if a particular patch is present. Yosef wrote that this exploit was used in the past as a zero-day by the Bitter APT group. 

“Raspberry Robin implemented other cool tricks and exploits showing that he also has capabilities in the exploiting area,” the security researcher added. “Unfortunately, the world of evasions is only getting harder and more creative, so buckle up and pray that somebody already encountered this evasion before you.”

What’s hot on Infosecurity Magazine?