Ransomware/Malware Activity
Raspberry Robin Worm Now Spreads Through Windows Script Files (WSF)
Raspberry Robin is a Windows worm first introduced in 2021 and is known for establishing a malicious foothold in victim devices in order to deliver some of the most prevalent forms of malware including SocGholish, Cobalt Strike, and IcedID. Raspberry Robin has been known to initially infect victim computers through compromised USB devices, RAR files hosted on Discord, and ZIP files contained in malicious advertisements and downloaded via the web browser. Researchers have now identified a new infection method via Windows Script Files (.wsf) which are hosted on malicious domains and subdomains controlled by threat actors. The WSF file performs as a downloader and retrieves the main DLL payload from a compromised remote server using the curl command. Raspberry Robin is noted for its sophisticated obfuscation and anti-analysis techniques deployed to evade detection and hinder discovery. The Raspberry Robin script runs a series of checks on the victim environment and aborts execution should a check fail. The checks include whether the script is being run in a virtualized environment, the windows operating system, and whether certain anti-virus programs are running. Importantly, the Raspberry Robin scripts are not currently classified as malicious by anti-virus scanners on Virus Total, which is reflective of the evasiveness of the malware. Identifying this malware early in the infection chain should be a high priority for security teams as it is a precursor to more malicious malware such as infostealers and ransomware. CTIX analysts recommend blocking the indicators of compromise (IOCs) associated with this campaign. CTIX analysts will continue to report on new and evolving malware campaigns.
- The Hacker News: Raspberry Robin Returns
- HP Threat Research: Raspberry Robin Now Spreading through Windows Script
Threat Actor Activity
Stealthy RUBYCARP Botnet Group Discovered After a Decade of Operation
A suspected Romanian botnet group known as RUBYCARP has been discovered after more than ten (10) years of activity operating their botnet. They are known to be financially motivated with similarities among their tactics that possibly link them to the Outlaw APT threat group. RUBYCARP specializes in exploiting known vulnerabilities and using brute force attacks to compromise corporate networks and servers. The cybercriminal’s arsenal has been diverse, exploiting vulnerabilities in Laravel applications (CVE-2021-3129), brute-forcing SSH servers, and targeting WordPress sites via credential dumps. The botnet, comprised of over 600 compromised servers, primarily utilizes Perl-based payloads with a significant focus on crypto mining, phishing campaigns, and distributed denial of service (DDoS) attacks. The attackers frequently rotate their infrastructure and have been observed kicking out clients whose connections are not properly configured, additionally blocking the IPs to avoid security analysts attempting to investigate the group’s infrastructure. Of the thirty-nine (39) discovered variants, only eight (8) appeared on VirusTotal, highlighting the groups sophisticated evasion tactics. Along with launching DDoS attacks from infected devices, RUBYCARP uses an array of crypto miners to mine cryptocurrencies like Monero, Ethereum, and Ravencoin at the expense of the victim’s computational resources. Additionally, phishing tactics are used to steal financial information such as credit card data, either by deploying phishing messages directly on compromised servers or sending phishing emails from them. The phishing campaigns have largely been aimed at European targets, including Swiss Bank, Nets Bank, and Bring Logistics. While RUBYCARP isn’t the largest player in the arena of botnets, their stealthiness and operational security is impressive. The group's activities highlight the persistent threat posed by organized cybercrime groups and the importance of robust cybersecurity measures to protect against such threats.
Vulnerabilities
Critical "BatBadBut" Vulnerability in the Rust Standard Library Allows for Windows Command Injection Attacks
A critical security vulnerability in the Rust standard library dubbed "BatBadBut" has been discovered, primarily affecting Windows systems through command injection attacks. This flaw, tracked as CVE-2024-24576, which was given a CVSS score of 10/10 by GitHub, allows unauthenticated attackers to remotely execute malicious commands on a system without any user interaction, due to weaknesses in how OS commands and arguments are handled. Specifically, the vulnerability occurs when batch files with “.bat” or “.cmd” extensions are invoked through the Command API without proper argument escaping. This issue is confined to Rust versions prior to 1.77.2 on Windows, and no other platforms are impacted. The Rust Security Response working group has addressed the issue by modifying the Command API to improve argument escaping and handle errors more robustly. This vulnerability also affects several other programming languages like Java, Go, and Python, though not all have issued patches. Security recommendations include moving batch files out of accessible directories to prevent unauthorized execution. CTIX analysts urge all developers to identify which of their programming languages are affected and download the latest patch or follow the guidance documentation provided by the maintainers.
- Bleeping Computer: BatBadBut Article
- The Hacker News: BatBadBut Article
- Rust Blog: CVE-2024-24576 Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
