do son 
NetFlow analysis of Raspberry Robin (Sekoia, 2023)
Raspberry Robin, also known as Roshtyak or Storm-0856, has evolved from a simple worm targeting copy shops to a sophisticated initial access broker (IAB) serving some of the most notorious cybercriminal groups and, more recently, Russian state-sponsored actors. A recent report by Silent Push, in collaboration with Team Cymru, has shed light on the group’s activities, infrastructure, and connections, painting a disturbing picture of an increasingly dangerous threat.
Silent Push’s research, which involved identifying key nameservers, domain naming conventions, and IP/ASN diversity patterns, led to the discovery of nearly 200 unique Raspberry Robin command and control (C2) domains. This extensive infrastructure is now understood to be connected through a singular IP address, a crucial detail uncovered through Silent Push’s collaboration with Team Cymru.
The report also corroborates the September 2024 announcement from CISA, linking Raspberry Robin to the Russian GRU’s Unit 29155. This connection underscores the severity of the threat, as it aligns Raspberry Robin with state-sponsored cyber operations.
Raspberry Robin’s initial attack vector involved infected USB drives, often spread through print and copy shops. These drives contained malicious LNK files disguised as folders, which, when clicked, would deploy the malware. However, the group’s tactics have evolved significantly. Today, Raspberry Robin leverages compromised QNAP NAS boxes, routers, and IoT devices and employs sophisticated obfuscation techniques, including multi-layer packing, to conceal its malware.
The group’s evolution also includes new distribution methods, such as using Discord to send archive files with malicious DLLs and spreading malware through web downloads using archive files and Windows Script Files.
Raspberry Robin operates as an initial access broker, selling access to compromised systems to other cybercriminal groups. This model has become increasingly prominent in the cybercrime landscape, as it allows threat actors to specialize in different stages of an attack. Raspberry Robin’s clientele includes some of the most serious threat actors active today, including SocGholish, Dridex, and LockBit, many of which have connections to Russia.
“Given the varied visibility into Raspberry Robin infrastructure experienced by endpoint protection companies, defenders, and our research partners, extensive collaboration will continue to be key to uncovering more about this ongoing threat and ultimately stopping it,” the report states. Organizations are urged to be vigilant for signs of Raspberry Robin’s involvement in attacks and to share information with law enforcement to facilitate effective countermeasures.
