Recent versions of the Raspberry Robin malware are stealthier and implement one-day exploits that are deployed only on systems that are susceptible to them. One-day exploits refer to code that leverages a vulnerability that the developer of the impacted software patched recently but the fix has either not been deployed to all clients or it has not been applied on all vulnerable systems.
From the moment the vendor discloses the vulnerability, which usually comes with publishing a patch, threat actors rush to create an exploit and use it before the fix propagates to a large number of systems. According to a
report from Check Point, Raspberry Robin has recently used at least two exploits for 1-day flaws, which indicates that the malware operator either has the capability to develop the code or has sources that provide it.
Raspberry Robin is a worm that Red Canary, a managed detection and response company, first identified in 2021. It spreads primarily through removable storage devices such as USB drives to establish a foothold on infected systems and facilitate the deployment of additional payloads. It has been associated with threat actors like
EvilCorp, FIN11, TA505, the
Clop ransomware gang, and other malware operations, but its creators and maintainers are unknown.
