- MCP for DevOps, NetOps, and SecOps: Real-World Use Cases and Future Insights
- Key takeaways from IBM Think partner event
- 'End of 10' offers hope and help to Windows 10 users who can't upgrade
- Is your Microsoft account passwordless yet? Why it (probably) should be and how to do it right
- Reddit turns 20: Its incredible journey from scrappy startup to 'the heart of the internet'
Raspberry Robin Adopts Unique Evasion Techniques
Threat actors relying on the Raspberry Robin malware have been observed adopting unique evasion techniques to avoid detection.
Security researchers at Check Point Research (CPR) published a new advisory on Tuesday describing the novel malware features and how defenders can guard systems against them.
“Anti-debugging and other evasions can be exhausting, and even more so when it comes to such obfuscation methods and volume of methods as Raspberry Robin implements,” wrote CPR security researcher Shavit Yosef. “This research aims to show plenty of methods with explanations of how they work and how to evade those evasions.”
Several of the new methods Raspberry Robin uses are related to its ability to avoid being run on virtual machines (VMs), which security researchers often use to analyze malware. This makes it harder for defenders to study the tool. Technical details to defend against them are available in the advisory.
Raspberry Robin also added other evasion techniques at many stages of its operation. CPR analyzed two new exploits the malware used to gain higher privileges on infected systems.
The first of them (CVE-2020-1054) takes advantage of a bug in the win32k window object, allowing it to write data outside of its intended boundaries. The exploit is only used by Raspberry Robin on Windows 7 systems.
The second exploit (CVE-2021-1732) is similar from a technical standpoint but targets Windows 10 systems with specific build numbers and checks if a particular patch is present. Yosef wrote that this exploit was used in the past as a zero-day by the Bitter APT group.
“Raspberry Robin implemented other cool tricks and exploits showing that he also has capabilities in the exploiting area,” the security researcher added. “Unfortunately, the world of evasions is only getting harder and more creative, so buckle up and pray that somebody already encountered this evasion before you.”
