Raspberry Robin resurfaces with WSF file campaign

In this week’s cybersecurity roundup, a diverse range of threats emerged, highlighting the evolving tactics of malicious actors. These threats included Byakugan malware spreading via fake Adobe Reader installers, Raspberry Robin campaign resurfacing with WSF files, SEXi ransomware striking IxMetro Powerhost, RUBYCARP emerging as a long-standing botnet operator, and a critical Spectre v2 exploit targeting Intel-based Linux systems. These incidents highlight the ongoing need for vigilance and comprehensive cybersecurity measures.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Byakugan malware spread through Adobe Reader installers

Bogus Adobe Acrobat Reader installers are now spreading a sophisticated malware called Byakugan, exploiting Portuguese-language PDFs and urging victims to download a fake Reader application. Once the victim clicks the provided link, it downloads an installer named “Reader_Install_Setup.exe,” triggering DLL hijacking and Windows UAC bypass techniques to execute the malicious “BluetoothDiagnosticUtil.dll.”

Byakugan collects system metadata and communicates with a command-and-control server, retrieving additional modules for functions such as desktop monitoring, screenshot capturing, keystroke logging, and cryptocurrency mining. This malware underscores a growing trend of blending legitimate and malicious components, complicating detection efforts. To mitigate risks, users should download software only from official sources, verify URLs before clicking, and keep security software updated for real-time protection.

2. Raspberry Robin strikes again with WSF file campaign

Cybersecurity experts have detected a resurgence of the Raspberry Robin campaign, which now distributes malware via malicious Windows Script Files (WSFs) since March 2024. Initially spread through USB drives, Raspberry Robin has evolved into a versatile downloader for various payloads, often serving as a precursor for ransomware attacks. The recent shift involves using WSF files distributed via various domains and subdomains, acting as downloaders for primary DLL payloads after conducting anti-analysis checks.

Threat actors employ a range of methods, including USB devices, Discord-hosted RAR archives, web browser downloads, and malicious advertisements, to infect endpoints. It is recommended to implement security best practices such as robust endpoint protection, regular system updates, user education on phishing tactics, and web filtering to mitigate the threat posed by Raspberry Robin and its associated payloads.

3. Hosting firm’s ESXi servers hit by SEXi ransomware

IxMetro Powerhost, a Chilean data center and hosting provider, fell victim to a cyberattack by a new ransomware group called SEXi, impacting its VMware ESXi servers and encrypted backups. This attack disrupted services for clients relying on virtual private servers (VPS), with encrypted files appended with the .SEXi extension and accompanied by ransom notes named SEXi.txt. PowerHost disclosed negotiations with the ransomware group demanding two bitcoins per victim, totaling around $140 million, complicating restoration efforts due to encrypted backups.

The ransom notes direct victims to download the Session messaging app to contact threat actors, resembling variants named SOCOTRA, FORMOSA, and LIMPOPO, discovered since February 2024, which leverage leaked ransomware source code. The attack underscores the importance of isolating infected systems, assessing damage, securing backups, seeking expert assistance to mitigate such incidents.

4. Unveiling ‘RUBYCARP’: A decade-long cyber threat emerges

A recent report has exposed RUBYCARP, a Romanian cyber threat group operating a persistent botnet for over a decade, orchestrating crypto mining, DDoS, and phishing attacks. Managed through private IRC channels, the botnet comprises over 600 compromised servers, with 39 variants of RUBYCARP’s Perl-based shellbot payload identified, indicating a low detection rate.

Exploiting vulnerabilities like CVE-2021-3129 in Laravel applications and conducting brute-force attacks on SSH servers, RUBYCARP leverages compromised devices for various malicious activities, including DDoS attacks, financial fraud, and cryptocurrency mining. Despite not being among the largest botnet operators, RUBYCARP’s longevity and sophistication underscore its threat, emphasizing the need for vulnerability management, enhanced network monitoring, phishing awareness training, and robust endpoint security solutions to mitigate its impact.

5. Researchers identify Spectre v2 exploit against Linux Kernel

Security researchers have unveiled a critical vulnerability, CVE-2024-2201, affecting Intel-based Linux systems, termed the “first native Spectre v2 exploit.” Named Native Branch History Injection (BHI), this exploit, detailed by Vrije Universiteit Amsterdam’s Systems and Network Security Group (VUSec), enables unauthorized access to sensitive kernel memory at a rate of 3.5 kB/sec, bypassing existing Spectre v2/BHI mitigations.

Leveraging speculative execution, BHI manipulates branch history to trigger speculative execution of chosen code segments, leading to data leakage. Despite mitigation efforts like enabling Enhanced Indirect Branch Restricted Speculation (eIBRS) and Supervisor Mode Execution Protection (SMEP), current techniques remain insufficient, prompting Intel to update its mitigation recommendations and signaling ongoing efforts to strengthen system security against evolving threats.