Researchers have uncovered nearly 200 unique command-and-control (C2) domains associated with the malware Raspberry Robin, a complex and evolving threat actor. This malware, also known as Roshtyak or Storm-0856, provides initial access broker (IAB) services to numerous criminal groups, many of which have connections to Russia. Since its emergence in 2019, Raspberry Robin has become a conduit for several malicious strains, including SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot.
Due to its frequent use of compromised QNAP devices to retrieve payloads, it is also referred to as the QNAP worm.
Over time, Raspberry Robin has expanded its distribution methods to include new techniques for evading detection. These methods involve downloading the malware via archives and Windows Script Files sent as attachments through the messaging service Discord. Additionally, it has incorporated one-day exploits for local privilege escalation, often before these vulnerabilities were publicly disclosed. There are also indications that the malware is used as a pay-per-install (PPI) botnet, delivering next-stage malware to compromised systems.
Another key element of its propagation strategy involves USB-based distribution, where compromised USB drives activate the malware via a Windows shortcut file disguised as a folder.
The U.S. government has linked Raspberry Robin to the Russian nation-state threat actor Cadet Blizzard, which may have used it as an initial access facilitator. Silent Push, in collaboration with Team Cymru, conducted a thorough investigation and discovered an IP address acting as a data relay to connect compromised QNAP devices. This IP address was traced through Tor relays, allowing operators to interact with compromised devices while maintaining anonymity. Researchers identified over 180 unique C2 domains linked to the malware, highlighting its widespread and evolving infrastructure.
The C2 domains associated with Raspberry Robin are short and rapidly rotated using a technique called fast flux, making them difficult to take down. These domains use top-level domains like .wf, .pm, .re, .nz, .eu, .gy, .tw, and .cx, with registration through niche registrars such as Sarek Oy, 1API GmbH, and CentralNic Ltd. Most of the identified domains use name servers operated by a Bulgarian company, ClouDNS. The investigation further revealed that Raspberry Robin’s use by Russian threat actors aligns with its history of facilitating attacks for well-known criminal groups like LockBit, Dridex, Evil Corp, and Clop Gang.
