Raspberry Robin Keeps Riding the Wave of Endless 1-Days

Key Findings

  • Two new 1-day LPE exploits were used by the Raspberry Robin worm before they were publicly disclosed, which means that Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time.
  • Raspberry Robin is continually updated with new features and evasions to be even stealthier than before.
  • Raspberry Robin slightly changed its communication method and lateral movement to avoid being caught by behavioral signatures implemented based on its previous version.
  • Raspberry Robin is spread with a new delivery method, disguising as a legitimate Windows component.


Raspberry Robin is a widely distributed worm first reported by Red Canary in 2021. Its capabilities and evasions in addition to its very active distribution made it one of the most intriguing malware out there. We at Check Point Research published an article a couple of months ago using Raspberry Robin as an example of identifying and mitigating different evasion behaviors.

Raspberry Robin is part of a much larger malware ecosystem and acts as an initial access broker to additional malware deployment by other crime groups. The different crime groups associated with Raspberry Robin include EvilCorp, TA505 and others.

Since last October, we have seen large waves of attacks against our customers worldwide. Since our last report, it is clear that Raspberry Robin hasn’t stopped implementing new features and tricks that make it even harder to analyze.

Most importantly, Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed. Those 1-day exploits were not publicly disclosed at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a 0-day and was sold on the Dark Web.


In past campaigns, Raspberry Robin had several initial access vectors, leading to the main sample. The most prevalent one is via an LNK disguised as a thumb drive or a network share.

In this campaign, the attack flow started from archive files named File.Chapter-1.rar (we also found other names such as File_Part-1.rar or Part.File-1.rar) which were downloaded from Discord as an attachment.

Those archives contained the following items:

  1. OleView.exe, a legitimate and signed Microsoft executable.
  2. aclui.dll, a signed file, but the signature is not valid.

OleView.exe is used to load the malicious DLL, which is a packed Raspberry Robin sample that it calls from the main function. We found several unique unused export function names for those DLL samples that lead to kernel32.Sleep API:

  • BodsuwtubestdHnit
  • EalEsneataysxxt
  • EaipifEeetoio
  • TaretxopnnevnNtitx

Attackers commonly choose Oleview.exe as a target for side-loading, primarily because it doesn’t typically exist on the disk by itself and requires a DLL to function. Therefore, it’s considered normal behavior to find Oleview.exe alongside a DLL brought to disk in a random directory and executed together. Additionally, because the DLL files are signed by Microsoft, they are inherently more trusted by some security solutions.

Figure 1: The Raspberry Robin attack flow.Figure 1: The Raspberry Robin attack flow.

Raspberry Robin exploits


Raspberry Robin has multiple ways of escalating its privileges which we reported in earlier blogposts. One way is to use kernel LPE exploits. Those exploits are stored encrypted with an RC4 key and are used only if the victim’s computer is vulnerable to those exploits. This means that Raspberry Robin will try to use the exploits only for specific Windows versions and build numbers. In the new samples, the malware injects the kernel exploits into cleanmgr.exe (in former samples it was into winver.exe) using the KernelCallbackTable injection method (used in the previous samples as well). Raspberry Robin injects a unique loader that resides in memory and loads an external PE which is the exploit. Interestingly, one of the exploits has changed since the last version and we identified it as targeting the CVE-2023-36802 vulnerability.

CVE-2023-36802 overview

CVE-2023-36802 is a Type Confusion vulnerability in Microsoft Streaming Service Proxy that allows a local attacker to escalate privileges to SYSTEM (Local Privilege Escalation). The vulnerability is triggered when one of the following IOCTLs (IOCTL_FRAMESERVER_PUBLISH_TXIOCTL_FRAMESERVER_CONSUME_TXIOCTL_FRAMESERVER_CONSUME_RX) is performed on the mkssrv device. This is after sending an IOCTL such as IOCTL_FRAMESERVER_INIT_CONTEXT that initializes the FsContext2 field to an object of type FsContextReg.

The vulnerability was disclosed back on September 12 and was declared to have been exploited in the wild for some time before it was used as a 0-day, but no information was given about the group that used it.

blogpost by Cyfirma revealed that an exploit for CVE-2023-36802 was sold on Dark Web forums in February 2023. This was seven months before Microsoft and CISA released an advisory on active exploitation.

Vulnerability timeline:

  • February 2023: An exploit for CVE-2023-36802 is sold on Dark Web forums.
  • September 12, 2023: CVE-2023-36802 is patched and publicly disclosed, and reported to have been seen in the wild.
  • October 2023: Raspberry Robin starts to use an exploit for CVE-2023-36802.
  • October 10, 2023: Valentina Palmiotti publishes details of CVE-2023-36802 and its exploitation.

Figure 2: Seller’s message for the <strong>CVE-2023-36802</strong>
exploit on the Dark Web.Figure 2: Seller’s message for the CVE-2023-36802 exploit on the Dark Web.

Exploit flow

The exploit, relevant to Windows 10 up through build number 22621, starts with initializing a main structure. The main structure looks like this:

main_struct {
    dword version_less_than_19044_flag  
    dword token_offset   
    dword previousmode_offset
    qword system_eprocess_addr
    qword cur_eprocess_addr         

The values for the Token offset and the PreviousMode offset are based on the Windows version which the malware checks by comparing to OSBuildNumber variable from the PEB.

Figure 3: The different offsets based on the OS build number.Figure 3: The different offsets based on the OS build number.

The EPROCESS addresses are retrieved by using a NtQuerySystemInformation API and a couple of undocumented, but well-known structures SYSTEM_HANDLE_INFORMATION and SYSTEM_HANDLE_TABLE_ENTRY_INFO. This is a known technique for leaking kernel object addresses.

The malware then generates a random pipe name based on a UUID by using the APIs UuidCreate and UuidToStringW. From this point, the flow differs depending on if the Windows version is lower than 19044 or higher.

For more information on why two flows are needed and what occurs in each one, read the great explanation by Google Project Zero.

Even though the flow is similar to the one described in the Google Project Zero blog and the fact that this exploit was used in the wild as a 0-day, we don’t have any evidence that Raspberry Robin used it as a 0-day, only as a 1-day. Therefore, we started to analyze files before the public disclosure of this vulnerability.

Past Exploitations

After looking at samples of Raspberry Robin prior to October, we found that it also used an exploit for CVE-2023-29360. This vulnerability was publicly disclosed in June and was used by Raspberry Robin in August. Even though this is a pretty easy vulnerability to exploit, the fact that the exploit writer had a working sample before there was a known exploit in GitHub is impressive as is how quickly Raspberry Robin used it.

This exploit also has the same loader and the same obfuscation scheme for the strings as the CVE-2023-36802 exploit and the flow is similar. Interestingly, this vulnerability is also in the mskssrv.sys, meaning the exploit writer is working on this driver. We may see other vulnerabilities in the driver being exploited in the wild.

Figure 4: CVE-2023-29360 exploitation flow.Figure 4: CVE-2023-29360 exploitation flow.

In 2022, Raspberry Robin used an exploit for CVE-2021-1732 a year after it was publicly disclosed. For CVE-2023-36802 it took almost 2 months, and with CVE-2023-36802 it took less than a month. Raspberry Robin is reducing the time it takes to utilize the exploits for Privilege Escalation. This helps the malware take advantage of the fact that people don’t update Windows too often and gives it more time to exploit the vulnerability.

Figure 5: <strong>CVE-2023-29360</strong> timeline.Figure 5: CVE-2023-29360 timeline.
Figure 6: <strong>CVE-2023-36802</strong> timeline.Figure 6: CVE-2023-36802 timeline.

Malware Overview

The flow of Raspberry Robin is still largely unchanged, with multiple stages stored in memory in a custom format that are unpacked and run without the headers section. The code in all stages is heavily obfuscated in the same way, including the main payload itself. The main anti-analysis stage still contains the methods it had in the previous version but as in the main payload, the malware’s authors added some new features which we will now discuss.

New anti-analysis methods

Raspberry Robin added some new features that it uses to decide whether to get to the main stage in different stages:

  1. In the first stage, Raspberry Robin checks if the APIs GetUserDefaultLangID and GetModuleHandleW are hooked. It does this by comparing the first byte of the API to 0xb8 which means those APIs were hooked. This is because the original byte of those APIs should be 0x48 (which means the jmp opcode) as in the following image.
Figure 7: GetDefaultLangId API opcodes.
  1. runlegacycplelevated.exe termination – RunLegacyCPLElevated.exe is a legitimate executable associated with the User Account Control (UAC) feature in Windows. It is used to elevate the privileges of Control Panel items (CPL) that require administrative permissions. Malware often tries to avoid detection by interfering with system processes. Raspberry Robin uses different techniques in an attempt to elevate its privileges, and some of them involve UAC bypasses. Raspberry Robin probably tries to terminate this process because it wants to perform malicious actions with elevated privileges without triggering UAC prompts.
  2. runonce.exe termination – Raspberry Robin persistence involves being written to the RunOnce registry key. Therefore, after the computer is rebooted, the malware is executed by the runonce.exe process. To cover its tracks, Raspberry Robin terminates the runonce.exe process.
  3. NtTraceEvent hooking – EDR products have the option of using multiple sources to collect information on a Windows operating system. One of these log sources is ETW (Event Tracing for Windows). ****The NtTraceEvent API is the central switching point for writing an event through ETW. Therefore, to bypass the ETW Raspberry Robin patches the NtTraceEvent API not to do anything when it is being called.
Figure 8: NtTraceEvent API code.Figure 8: NtTraceEvent API code.

New Evasion Tricks

  • Shutdown evasion – To ensure that Raspberry Robin is not prevented from finishing its job by a system shutdown, it implements two routines, each in a different thread it creates. Those threads are hidden by the API NtSetInformationThread with ThreadHideFromDebugger argument upon which we elaborated in our previous blogpost. In the first thread, the malware calls in a loop to the API AbortSystemShutdownW that stops a system shutdown that was initiated. The second thread creates a window with a WNDPROC callback that calls the ShutdownBlockReasonCreate API. This API indicates that the system cannot be shut down and sets a reason string to be displayed to the user if a system shutdown is initiated.
Figure 9: AbortSystemShutdownW flow in Raspberry Robin.Figure 9: AbortSystemShutdownW flow in Raspberry Robin.
  • Remote Desktop check – Raspberry Robin also checks if the victim’s computer is a remote desktop or not. It does that by checking 3 things:
    1. Calls the API GetSystemMetrics with SM_REMOTESESSION as an argument. If the value is nonzero then the current session is remotely controlled.
    1. Queries the value in HKLM\System\CurrentControlSet\Control\Terminal Server\GlassSessionId. If the value is the same as the local SessionId then the victim’s computer is not remote-controlled.
    2. Searches files in the path \\tsclient\c. The tsclient folder on Windows typically relates to Remote Desktop Services (RDS) or Remote Desktop Connection (RDC). This folder is used to store information related to remote connections and configurations. Therefore, if the malware finds files in this directory, the computer is remote-controlled.
Figure 10: Raspberry Robin’s check of SM_REMOTESESSION
  • Stop running in case of UWF filter driver – A Unified Write Filter (UWF) filter driver is a component designed to protect the integrity of a system’s directories by redirecting write operations to a virtual overlay, preventing permanent changes to the underlying storage. It’s commonly used in scenarios where a system needs consistency, such as in embedded systems, kiosks, or thin clients. Raspberry Robin checks if there is any driver by using a COM object and the following query: “Select * from UWF_FILTER”. If it finds an object, the malware goes straight to cleaning up and rebooting.

Lateral Movement

Raspberry Robin slightly changed its lateral movement logic. Instead of using PsExec.exe, it uses PAExec.exe which it downloads straight from the official website https://www.poweradmin[.]com/paexec.exe. PAExec is designed to allow administrators to run processes on remote systems. It shares similarities with PsExec but the primary difference is that PsExec was developed by Sysinternals (Microsoft) and is widely used and recognized in the IT community for remote process execution. On the other hand, PAExec is a tool developed by PowerAdmin LLC and is less well-known. The other parts of the Lateral Movement by Raspberry Robin stayed the same. For example, the payload to be executed is still a self-extracting package and the config is in the same template and syntax.

Figure 11: PAExec.exe usage message.Figure 11: PAExec.exe usage message.


The flow of Raspberry Robin’s communication method has changed slightly. It starts with trying to contact legitimate and well-known tor domains and checking if it gets any response. If there is no response, Raspberry Robin doesn’t try to communicate with the real C2 servers.

The list of the tor domains:


Raspberry Robin then randomly chooses a domain from another list that contains 60 hardcoded onion addresses. The big difference from previous samples is that the domains are V3 onion addresses and not V2. It might be because V2 onion addresses are officially deprecated and the Tor Browser no longer supports them in its latest version. The data being sent is still very similar to the previous version with a bit’s worth of data added as the processes tree of the malware, and the file names inside the C:\ directory. This data is encrypted with RC4 and then b64 encoded as the path in the communication with the C2. The communication between Raspberry Robin and the C2 is performed through a TOR module being injected into another process as rundll32.exe or regsvr32.exe.

Version comparison

Previous version Current version
Delivery method Mostly USB drives Discord RAR files
Exploits injection process winver.exe cleanmgr.exe
Lateral Movement PSExec.exe PAExec.exe
Onion domains V2 domains V3 domains
hooking check X V
NtTraceEvent hooking X V
runonce.exe termination X V
runlegacycplelevated.exe termination X V
Shutdown evasion X V
Remote Desktop evasion X V
UWF filter evasion X V


Raspberry Robin belongs to a rapidly growing club of malware that tries to avoid running on any VM. To achieve that, it added various evasions in many stages and kept making adjustments. We assume that Raspberry Robin will continue along this path and will use many other tricks it learns along the way.

The current version of Raspberry Robin not only added new unique features but also used new exploits for privilege escalation. One of these exploits was also sold on the Dark Web as a 0-day exploit half a year before it was publicly disclosed. The second exploit was also used not long after it was publicly disclosed. We assume that Raspberry Robin buys the 1-day exploits from an exploit developer and does not create its own exploits for several reasons:

  • The exploits are used as an external 64-bit executable. If the Raspberry Robin authors were the developers of the exploits, then they would have probably used the exploits in the main component itself. In addition, the exploits would be packed in the same way and have the same format as the different stages of the main component.
  • The exploits are only suitable for 64-bit and not for 32-bit even though the main component is suitable also for 32-bit.
  • The exploits are not heavily obfuscated and don’t have Control flow flattening and variable masking as in Raspberry Robin’s main component.

Due to the rapid turnover in the exploits used, we also assume that Raspberry Robin will keep using new exploits for vulnerabilities that as of the first time they are used still have no public POC.

Check Point Customers Remain Protected

Check Point Customers remain protected against attacks detailed in this report while using Check Point Anti-Bot, Harmony Endpoint and Threat Emulation.

Threat Emulation

  • Trojan.Wins.RaspberryRobin.ta.C
  • Trojan.Wins.RaspberryRobin.D
  • Trojan.Wins.RaspberryRobin.E
  • Trojan.Wins.RaspberryRobin.F
  • Trojan.Wins.RaspberryRobin.G
  • Trojan.Wins.RaspberryRobin.ta.H
  • Trojan.Wins.RaspberryRobin.ta.I



Onion domains

The post Raspberry Robin Keeps Riding the Wave of Endless 1-Days appeared first on Check Point Research.

Article Link: Raspberry Robin Keeps Riding the Wave of Endless 1-Days - Check Point Research