In a recent investigation, cybersecurity researchers have identified nearly 200 unique command-and-control (C2) domains associated with the Raspberry Robin malware, also known as Roshtyak or Storm-0856. This sophisticated threat actor functions as an initial access broker (IAB), facilitating entry for various criminal groups, many with ties to Russia.
Evolution and Distribution of Raspberry Robin
Since its emergence in 2019, Raspberry Robin has evolved into a conduit for multiple malicious payloads, including SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot. Initially recognized for exploiting compromised QNAP devices—earning it the moniker “QNAP worm”—the malware has diversified its distribution methods over time.
One notable method involves disseminating the malware through archives and Windows Script Files sent as attachments via the messaging service Discord. Additionally, Raspberry Robin has been observed acquiring one-day exploits to achieve local privilege escalation before these vulnerabilities are publicly disclosed. This proactive approach underscores the malware’s adaptability and the threat actors’ commitment to staying ahead of security defenses.
Evidence suggests that Raspberry Robin operates as a pay-per-install (PPI) botnet, offering its services to other malicious actors for deploying subsequent malware stages. This business model enhances its utility and appeal within the cybercriminal ecosystem.
USB-Based Propagation Mechanism
A distinctive feature of Raspberry Robin is its USB-based propagation mechanism. The malware utilizes compromised USB drives containing Windows shortcut (LNK) files disguised as folders. When accessed, these shortcuts trigger the deployment of the malware, facilitating its spread across systems and networks. This method capitalizes on user familiarity with USB devices, increasing the likelihood of successful infections.
Association with Nation-State Actors
The U.S. government has disclosed that the Russian nation-state threat actor known as Cadet Blizzard may have employed Raspberry Robin as an initial access facilitator. This connection highlights the malware’s significance in state-sponsored cyber operations and its role in broader geopolitical cyber activities.
Infrastructure Analysis and Fast Flux Techniques
In collaboration with Team Cymru, researchers from Silent Push conducted an in-depth analysis of Raspberry Robin’s infrastructure. They identified a single IP address functioning as a data relay, connecting compromised QNAP devices and leading to the discovery of over 180 unique C2 domains.
This IP address was accessed through Tor relays, suggesting that network operators used it to issue commands and interact with compromised devices while maintaining anonymity. The relay IP was located in a European Union country, indicating the global reach and complexity of the malware’s infrastructure.
Further investigation revealed that Raspberry Robin’s C2 domains are notably short—examples include q2[.]rs, m0[.]wf, h0[.]wf, and 2i[.]pm—and are rapidly rotated among compromised devices and IPs. This rotation employs a technique known as fast flux, which involves frequently changing DNS records to evade detection and takedown efforts. Fast flux complicates efforts to track and neutralize the malware’s command infrastructure, enhancing its resilience against countermeasures.
Domain Registration and Hosting Details
The analysis also shed light on the top-level domains (TLDs) utilized by Raspberry Robin, including .wf, .pm, .re, .nz, .eu, .gy, .tw, and .cx. These domains were registered through niche registrars such as Sarek Oy, 1API GmbH, NETIM, Epag[.]de, CentralNic Ltd, and Open SRS. Notably, a significant number of the identified C2 domains have name servers hosted by a Bulgarian company named ClouDNS.
Connections to Other Threat Actors
Raspberry Robin’s operations align with its history of collaboration with various serious threat actors, many linked to Russia. These include groups and malware families such as LockBit, Dridex, SocGholish, DEV-0206, Evil Corp (DEV-0243), Fauppod, FIN11, Clop Gang, and Lace Tempest (TA505). This extensive network underscores the malware’s integral role in the cybercriminal ecosystem and its contribution to a wide range of malicious activities.
Implications and Recommendations
The discovery of nearly 200 unique C2 domains associated with Raspberry Robin highlights the malware’s extensive reach and the sophisticated infrastructure supporting its operations. Its ability to serve as an initial access broker for various threat actors, coupled with its evolving distribution methods and robust C2 mechanisms, poses a significant challenge to cybersecurity defenses.
Organizations are advised to implement comprehensive security measures, including regular monitoring of network traffic for signs of fast flux techniques, educating employees about the risks associated with USB devices and suspicious email attachments, and maintaining up-to-date defenses against known vulnerabilities. Collaboration with cybersecurity researchers and sharing threat intelligence can also enhance the collective ability to detect and mitigate threats like Raspberry Robin.
