Tracking Updates to Raspberry Robin

Introduction

Raspberry Robin, also known as Roshtyak, is a malicious downloader that has been actively targeting systems since 2021 and primarily spreads through infected USB devices. Despite limited public reporting, Raspberry Robin continues to evolve and adopt new techniques to improve its functionality and evade detection. Further insights into Raspberry Robin are available in our previous technical analysis.

In this blog, we outline the latest updates to Raspberry Robin, including improved obfuscation methods, a shift from AES-CTR to ChaCha-20 for network encryption, a new local privilege escalation exploit (CVE-2024-38196), and the use of invalid TOR onion domains to complicate the process of extracting Indicators of Compromise (IOCs).

Key Takeaways

• Raspberry Robin is an advanced malware downloader that has been active since 2021.
• The developers have improved the malware’s obfuscation methods by adding multiple initialization loops to functions with a flattened control flow, making brute-force decryption less efficient.
• The network encryption algorithm has changed from AES (CTR mode) to Chacha-20.
• Raspberry Robin has added a new local privilege escalation (LPE) exploit (CVE-2024-38196) to gain elevated privileges on targeted systems.
• The malware embeds invalid command-and-control (C2) server (TOR onion) domains.
• Certain values, such as the RC4 key seed, are randomized per sample/campaign.

Technical Analysis

In this section, we describe the most significant changes we observed in Raspberry Robin’s functionality. It is worth noting that most of these changes were implemented shortly after our previous publication.

Obfuscation

Raspberry Robin continues to use the same obfuscation techniques discussed in our prior analysis of the malware. However, we have observed three notable changes, which we discuss below.

Initialization loops

One key update is the addition of extra initialization loops to the functions that have a flattened control flow. Previously, it was possible to brute-force the decryption key of each obfuscated function. To counter this, the developers introduced multiple loops, making brute-force efforts inefficient. This modification adds extra junk and obfuscated code into the function.

Obfuscated stack pointers

Another notable update is Raspberry Robin’s use of obfuscated stack pointers. This technique disrupts the decompilation process of IDA, since IDA assumes that the accessed pointer will be a large value. The output result is a failed function decompilation. To address this issue, analysts must manually fix the function’s stack.

The figure below shows how Raspberry Robin's obfuscated stack pointers interfere with the decompilation process of IDA.

Figure 1: Example of Raspberry Robin’s new obfuscated stack pointers.

Obfuscated conditional statements

The third notable change is the obfuscation of conditional statements. This modification further complicates the analysis of Raspberry Robin's logic during code analysis.

Figure 2: Example of Raspberry Robin’s obfuscation for conditional statements.

Network communication

Although the network encryption process of Raspberry Robin remains nearly the same, ThreatLabz has identified some key changes:

• Raspberry Robin now uses the ChaCha-20 encryption algorithm instead of AES-CTR for encrypting network data. While the 32-byte encryption key is hardcoded in the binary, the counter and nonce values are randomly generated per request.
• Raspberry Robin continues to use a 16-byte RC4 key. However, the 8-byte random seed is now appended to the end of the key, rather than the beginning. Additionally, hardcoded portions of the key vary between samples and campaigns.
• While the CRC-64 algorithm remains the same, its initial values are now randomized per sample/campaign.

The random counter and nonce values for ChaCha-20 are prepended to the encrypted data using the following structure.

struct encryptionInfo
{
 uint32_t nonce_part2;
 uint32_t nonce_part3;
 uint32_t counter;
 uint32_t nonce_part1;
};

Command-and-control (C2) onion domain obfuscation

Raspberry Robin has also updated its method of embedding intentionally corrupted TOR onion domains. Starting in early 2024, Raspberry Robin included a hardcoded algorithm within its TOR module to dynamically correct decrypted C2 domains. The Python code example below shows an example of the domain correction algorithm.

By early 2025, the threat actors modified this part of the code and the algorithm is different per sample/campaign. An example is shown in the figure below.

Figure 3: Raspberry Robin C2 dynamic correction algorithm.

Additional Updates

Beyond the primary changes, ThreatLabz identified several other noteworthy updates:

• Raspberry Robin developers have introduced expiration dates within the malware’s binary code. Each sample we analyzed includes an allowed execution period of one week.
• Raspberry Robin now leverages CVE-2024-38196 to achieve elevated privileges on targeted systems.
• The memory mapping used for communication between the core module and TOR module now varies per sample/campaign. Different offsets are applied for storing data.

Conclusion

Raspberry Robin remains active, now employing updated obfuscation techniques, encryption methods, and tactics to avoid detection and hinder reverse-engineering analysis. While it has not garnered as much attention as other prominent malware families, its continuous improvements make it a significant threat for security teams.

Zscaler Coverage

Zscaler’s multilayered cloud security platform detects indicators related to Raspberry Robin at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for Raspberry Robin.

Figure 4: Zscaler Cloud Sandbox report for Raspberry Robin.

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Raspberry Robin at various levels with the following threat names:

• Win32.Worm.RaspberryRobin

Indicators Of Compromise (IOCs)