In a significant development in cybersecurity research, Silent Push has identified nearly 200 unique command and control (C2) domains associated with the Raspberry Robin malware.
This discovery, made through the identification of key nameservers, domain naming conventions, and IP and ASN diversity patterns, provides crucial insights into the infrastructure of this sophisticated threat actor.
Evolution from USB Worm to Initial Access Broker
Raspberry Robin, also known as Roshtyak or Storm-0856, has evolved from its initial appearance as a USB worm in 2019 to become a complex initial access broker (IAB) service.
The threat actor now provides access to numerous criminal groups, many with connections to Russia, including the Russian GRU’s Unit 29155 cyber actors.
The malware’s attack methodology has shifted from USB drive infections to more advanced tactics.
These include leveraging compromised QNAP NAS boxes, routers, and IoT devices, as well as employing multi-layer packing techniques to obfuscate malware.
According to the Report, Raspberry Robin has been linked to serious threat actors such as SocGholish, Dridex, and LockBit.
Infrastructure Analysis and Collaboration
Silent Push’s research, conducted in collaboration with Team Cymru, has revealed a sophisticated C2 infrastructure connected through a singular IP address.
This finding, based on updated NetFlow analysis from 2024, provides a map of Raspberry Robin’s C2 network.
The threat actor’s domains primarily use lower-reputation 2-letter TLDs, with .wf, .pm, and .re being among the most common.
Following a takedown of approximately 80 domains on Namecheap in 2022, Raspberry Robin shifted to using multiple niche registrars.
The majority of its domains are now hosted on ClouDNS nameservers.
The connection between Raspberry Robin and Russian threat groups, including state-sponsored actors, underscores the gravity of this threat.
As the malware continues to evolve and adapt, collaboration among cybersecurity researchers and law enforcement agencies will be crucial in tracking and mitigating its impact.
Silent Push’s ongoing monitoring of Raspberry Robin’s C2 domains and infrastructure provides valuable intelligence for defenders.
As the threat landscape continues to evolve, this research highlights the importance of proactive threat hunting and information sharing in combating sophisticated cyber threats.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
.webp?w=1200&resize=1200,0&ssl=1&description=In a significant development in cybersecurity research, Silent Push has identified nearly 200 unique command and control (C2) domains.){kind=link}