Raspberry Robin malware spreading on Discord

Feb 12 2024

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s leaving the cybercriminals in the dust like Trump is Biden ???? Or maybe he’s just Biden his time ????

Today’s hottest cybersecurity news stories:

  • ⚠️ Watch out for Raspberry Robin malware spreading Discord ????

  • ???? General Zardoor targets Islamic charity organisation via backdoor ????

  • ???? I smell a Warzone RAT, DoJ ain’t nothing to f*ck with, arrests made

Raspberry Robin, Rock, Rock, Raspberry Robin ????




????????️ Watch Out: Raspberry Robin Malware Gets Stealthier! ????

Raspberry Robin, the notorious malware family known for facilitating initial access to other malicious payloads, has upped its game with two new one-day exploits for local privilege escalation. ???? Check Point’s recent report reveals that these exploits are used shortly after being developed, suggesting access to an exploit seller or rapid in-house development.

This evasive malware, attributed to the threat actor Storm-0856, has been on the radar since 2021 and is part of a complex malware ecosystem with ties to prominent e-crime groups like Evil Corp and Silence. ???? It spreads through various vectors, including infected USB drives, acting as a gateway for ransomware and other threats.

What’s alarming is Raspberry Robin’s use of undisclosed exploits, like CVE-2023-36802, which was advertised on the dark web months before it was publicly disclosed and patched by Microsoft. ???? These exploits are integrated quickly into the malware’s arsenal, posing a significant threat to organisations that may not have applied patches.

To make matters worse, the malware now utilises rogue RAR archive files hosted on Discord to gain initial access and has tweaked its lateral movement and C2 communication methods for increased stealth. ????️‍♂️ This includes switching from PsExec.exe to PAExec.exe for lateral movement and dynamically selecting V3 onion addresses for C2 communication.

Incorporating these changes, Raspberry Robin continues to evolve, making it more challenging to detect and analyse. Vigilance and timely patching remain crucial in defending against such sophisticated threats! ????️


Signup for Free


Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Zordoor. The one place in Middle-earth we don’t want to see any closer, and the one place we’re trying to get to ????‍♂️

???????? Islamic Non-Profit in Saudi Arabia Targeted by Stealthy Cyber Espionage Campaign! ????????

An unnamed Islamic non-profit organisation in Saudi Arabia has fallen victim to a sophisticated cyber espionage campaign, where threat actors deployed a previously undocumented backdoor named Zardoor. ???? Discovered by Cisco Talos in May 2023, the campaign likely began as early as March 2021 and has flown under the radar, with only one known target identified so far.

Throughout the operation, the attackers utilised living-off-the-land binaries (LoLBins) to maintain long-term access to victim environments discreetly, avoiding detection. ????️‍♂️ The attack on the Islamic charity involved periodic data exfiltration, with the initial access vector still shrouded in mystery.

Zardoor, the stealthy backdoor deployed for persistence, is orchestrated using open-source reverse proxy tools like FRP, sSocks, and Venom to establish command-and-control connections. ????️ Leveraging Windows Management Instrumentation (WMI) for lateral movement, the threat actor spreads Zardoor across the network, executing commands received from the C2.

The infection pathway involves a dropper component that instals a malicious dynamic-link library (“oci.dll”), unleashing two backdoor modules, “zar32.dll” and “zor32.dll.” While “zar32.dll” handles C2 communications, “zor32.dll” ensures administrator privileges for the backdoor. ???? Zardoor’s capabilities include data exfiltration, remote execution, IP address updates, and self-deletion.

Despite extensive analysis, the identity and motives of the threat actor remain unknown, with no discernible ties to known cybercriminal groups. ????️‍♀️ The sophistication and stealthiness of the operation indicate the work of an advanced threat actor, posing a significant challenge to detection and mitigation efforts.

Organisations must remain vigilant and bolster their cybersecurity defences against such stealthy and persistent threats! ????️????

???? Catch of the Day!! ????????????

???? The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can’t get fooled again.” Good ol’ George Dubya ???? Let us tell who’s not fooling around though; that’s the Crüe ???? at Motley Fool. You’d be a fool (alright, enough already! ????) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ???? Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ???? (LINK)

???? Wander: Find your happy place. Cue Happy Gilmore flashback ????️⛳????????️ Mmmm Happy Place… ???? So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ????️???? (LINK)

???? Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ???????? (Great movie, to be fair ????). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty ????). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho ???? And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ???? (LINK)

Let me see your Warzone face ????

????⚠️ U.S. Justice Department Seizes Online Infrastructure Selling Warzone RAT ⚠️????

In a significant move, the U.S. Justice Department (DoJ) has seized online infrastructure linked to the sale of a notorious remote access trojan (RAT) dubbed Warzone RAT. ???? The domains, including www.warzone[.]ws, were utilised to peddle this malicious software, allowing cybercriminals to clandestinely access and pilfer data from victims’ computers.

In a coordinated international effort, law enforcement has apprehended and indicted two individuals in Malta and Nigeria for their roles in promoting and facilitating the use of the malware. ????‍♂️????‍♀️ Daniel Meli (27) and Prince Onyeoziri Odinakachi (31) face charges related to unauthorised access to protected computers, with Meli additionally accused of illegally vending electronic interception devices and conspiring to commit computer intrusion offences.

Meli, operating since 2012, has a history of providing malware services through online forums, including his previous sale of the Pegasus RAT. Odinakachi, on the other hand, provided customer support for Warzone RAT purchasers between June 2019 and March 2023.

Warzone RAT, also known as Ave Maria, operates under the malware-as-a-service (Maas) model, enabling threat actors to steal information and remotely control infected hosts for further exploitation. ????️‍♂️ Sold for $38 a month, its functionalities include browsing victim file systems, capturing screenshots, recording keystrokes, stealing credentials, and activating webcams without consent.

The FBI, in collaboration with international partners, covertly acquired copies of Warzone RAT, confirming its malicious capabilities. ????️‍♀️ This joint effort involved authorities from Australia, Canada, Croatia, Finland, Germany, Japan, Malta, the Netherlands, Nigeria, Romania, and Europol.

The dismantling of the Warzone RAT infrastructure marks a significant victory in the ongoing battle against cybercrime, demonstrating the effectiveness of global cooperation in combating online threats. ???? Organizations are urged to remain vigilant and enhance their cybersecurity measures to safeguard against such malicious activities. ????️????

????️ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran ‘Wealthy Primate’ might be able to help you climb that tree ???????? with his stick and banana approach ????????

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles