- This robot vacuum has a side-mounted handheld vacuum and is $380 off for Black Friday
- This 2 TB Samsung 990 Pro M.2 SSD is on sale for $160 this Black Friday
- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
Raspberry Robin Adopts Unique Evasion Techniques
Threat actors relying on the Raspberry Robin malware have been observed adopting unique evasion techniques to avoid detection.
Security researchers at Check Point Research (CPR) published a new advisory on Tuesday describing the novel malware features and how defenders can guard systems against them.
“Anti-debugging and other evasions can be exhausting, and even more so when it comes to such obfuscation methods and volume of methods as Raspberry Robin implements,” wrote CPR security researcher Shavit Yosef. “This research aims to show plenty of methods with explanations of how they work and how to evade those evasions.”
Several of the new methods Raspberry Robin uses are related to its ability to avoid being run on virtual machines (VMs), which security researchers often use to analyze malware. This makes it harder for defenders to study the tool. Technical details to defend against them are available in the advisory.
Raspberry Robin also added other evasion techniques at many stages of its operation. CPR analyzed two new exploits the malware used to gain higher privileges on infected systems.
The first of them (CVE-2020-1054) takes advantage of a bug in the win32k window object, allowing it to write data outside of its intended boundaries. The exploit is only used by Raspberry Robin on Windows 7 systems.
The second exploit (CVE-2021-1732) is similar from a technical standpoint but targets Windows 10 systems with specific build numbers and checks if a particular patch is present. Yosef wrote that this exploit was used in the past as a zero-day by the Bitter APT group.
“Raspberry Robin implemented other cool tricks and exploits showing that he also has capabilities in the exploiting area,” the security researcher added. “Unfortunately, the world of evasions is only getting harder and more creative, so buckle up and pray that somebody already encountered this evasion before you.”