Full Report
A new investigation has unearthed nearly 200 unique command-and-control (C2) domains associated with a malware called Raspberry Robin. "Raspberry Robin (also known as Roshtyak or Storm-0856) is a complex and evolving threat actor that provides initial access broker (IAB) services to numerous criminal groups, many of which have connections to Russia," Silent Push said in a report shared with The
Analysis Summary
# Threat Actor: Raspberry Robin (Access Broker)
## Attribution & Identity
Raspberry Robin is a complex and evolving threat actor primarily described as an Initial Access Broker ($\text{IAB}$) service provider. It is also known by the aliases **Roshtyak** and **Storm-0856**. There is evidence suggesting connections to Russia, as the U.S. government revealed that the Russian nation-state threat actor **Cadet Blizzard** *may* have used Raspberry Robin as an initial access facilitator. The malware is sometimes referred to misleadingly as a QNAP worm due to its historical use of compromised QNAP devices.
## Activity Summary
Raspberry Robin has been active since its emergence in **2019**. It operates as a conduit for various other criminal groups, distributing next-stage malware through a pay-per-install ($\text{PPI}$) service model. Recent activities include:
* Leveraging a complex infrastructure involving over 180 unique C2 domains, often discovered through monitoring activity on compromised QNAP devices linked via a single Tor-relayed IP address.
* Utilizing new distribution methods, including downloading the payload via archives and Windows Script Files sent via the messaging service Discord.
* Acquiring and utilizing **one-day exploits** for local privilege escalation before they were publicly disclosed.
* Incorporating a **USB-based propagation mechanism**, using compromised USB drives containing LNK files disguised as folders to spread the malware laterally.
* Serving as an access broker for malware strains such as SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot.
## Tactics, Techniques & Procedures
- Initial Access Broker ($\text{IAB}$) services (Pay-Per-Install model).
- Distribution via compromised QNAP devices.
- Initial distribution/propagation via infected USB drives using LNK files disguised as folders.
- Lateral movement via **USB-based propagation**.
- Exploitation of **zero-day or one-day vulnerabilities** for Local Privilege Escalation ($\text{LPE}$).
- Use of social engineering/messaging services (e.g., Discord) for delivery via archives and Windows Script Files ($\text{.wsf}$).
- C2 communication heavily relying on **rapid rotation of domains** and Fast Flux techniques to evade detection and takedown efforts.
- Use of **Tor relays** to obscure network operators issuing commands.
## Targeting
- Sectors: Not explicitly detailed by sector, but its role as an Access Broker and association with ransomware ($\text{LockBit}$) suggests a broad range of financially motivated targets.
- Geography: Not specified, though C2 infrastructure was observed utilizing an IP address based in an E.U. country for data relay.
- Victims: Specific organizations are not named, but the activity suggests targeting entities where initial access can be monetized or where QNAP devices were deployed.
## Tools & Infrastructure
- Malware Families Used: Raspberry Robin (the primary malware/loader). It facilitates the deployment of **Dridex, LockBit, IcedID, BumbleBee, SocGholish, and TrueBot**.
- Infrastructure:
- Nearly **200 unique C2 domains** discovered, characterized by being short (e.g., `q2[.]rs`, `m0[.]wf`, `h0[.]wf`, `2i[.]pm`).
- Heavy use of **Fast Flux** techniques to rapidly rotate domains and IPs.
- Top TLDs observed: `.wf`, `.pm`, `.re`, `.nz`, `.eu`, `.gy`, `.tw`, and `.cx`.
- C2 infrastructure appears linked via a **singular IP address** operating through **Tor relays**, hosted in an E.U. country.
- Niche registrars used for domain registration (e.g., Sarek Oy, 1API GmbH, NETIM).
## Implications
Raspberry Robin represents a highly adaptive, multi-faceted initial access threat that bridges criminal and potentially nation-state activity ($\text{Cadet Blizzard}$). Its business model as a PPI service ensures its persistent presence across numerous downstream attacks (including ransomware and banking Trojans). The heavy investment in infrastructure obfuscation—particularly the rapid domain cycling and use of Tor—makes disruption of its C2 operations extremely difficult.
## Mitigations
- Implement rigorous network monitoring to detect unusual connections to known C2 TLDs or infrastructure patterns associated with Fast Flux.
- Disable or restrict the execution of scripts or archives delivered via messaging platforms like Discord, especially those prompting user interaction.
- Strengthen controls against USB-borne threats, including disabling autorun features and enforcing strict USB device policies.
- Enhance vulnerability management, paying close attention to zero-day tracking, given the actor's history of exploiting vulnerabilities shortly before public disclosure.
- Monitor for indicators related to the known malware families that leverage Raspberry Robin for initial access.