Compromised QNAP devices used for Command and Control

As reported earlier by Red Canary, compromised QNAP devices were used for command and control (C2) infrastructure for Raspberry Robin activity. HTTP requests that contain the victim’s user and device names are sent to the QNAP device, as well as hosting a malicious DLL that is downloaded and installed to the victim system.

Image from Microsoft Security Threat Intelligence showing the Attack chain of the original Raspberry Robin infections

Image from Microsoft Security Threat Intelligence showing the Attack chain of the original Raspberry Robin infections

A review of domains associated with the QNAP Photo Station component was done to identify malicious domains that may be related to Raspberry Robin activity. The QNAP Photo Station contains a recent vulnerability CVE-2022-27593, which was added to the CISA Known Exploited Vulnerabilities Catalog on September 8, 2022, but we currently have no evidence that these devices were compromised via this vulnerability or even related to any of the Raspberry Robin activity.

While it is not confirmed that all these domains are definitively associated with Raspberry Robin, the domains follow similar naming conventions and domain registrar as seen in prior Raspberry Robin reporting. Some of these suspected domains have related malware files in VT confirming Raspberry Robin detections.

The following eight domains were detected as a Phishing domain:

The following two domains had files in VT detected as Raspberry Robin:

https://nvd.nist.gov/vuln/detail/CVE-2022-27593

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

Compromised QNAP devices used for Command and Control
Scroll to top