ONE-ISAC and Silent Push
Title: Proactively Hunting Raspberry Robin’s Fast Flux Infrastructure
Abstract:
For the last 5 years, Raspberry Robin initial access brokers have scaled up their sophisticated infrastructure since a partial takedown last year. The operators have since pivoted from what started as a USB-based worm — initially spread through compromised copy-print shops around the world — into using compromised QNAP and IOT devices to host C2 domains and, more recently, deliver malware via more traditional methods like phishing. The malware used in these attacks has been packed in as many as 14 layers, with complex obfuscations that have seen Raspberry Robin malware incorrectly identified publicly as simple Adware payloads.
Raspberry Robin is also selling corporate access to a variety of mostly Russian threat actors, partnering with groups like SocGholish, Evil Corp, FIN11, Clop Gang, Dridex, and Lockbit.
In September 2024, the FBI, CISA, and NSA released a joint statement assessing that “cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155)” — who are known to target both transportation systems as well as energy industries — have been seen in the wild using Raspberry Robin in their attacks.
This presentation will provide extensive, yet readily digestible details on the history of Raspberry Robin as well as methods defenders can use to track the domains used in their C2 infrastructure.