Cybercriminals selling new tool weaponizing Raspberry Pi

Threat actors have come up with a new solution called Geobox that transforms the mini-computer Raspberry Pi into a Swiss-army knife type of hacking device for fraudsters and other criminals.

Sold for a lifetime fee of $700 or a monthly rate of $80, the software is able to spoof location, mimic Wi-Fi access points, and manipulate DNS and network parameters while providing anonymity.

Researchers from Resecurity discovered posts about the new tool on the Dark Web and Telegram while investigating an online banking theft involving a high-net-worth client.

“The malicious individuals utilized several Geobox devices, each connected to the internet and strategically placed in various remote locations. These devices served as proxies, significantly enhancing their anonymity. This approach complicated the investigation and tracking process, especially since, by default, Geobox devices do not store any logs,” their report reads.

Raspberry Pi is a widespread, low-cost, and small single-board computer used for various projects and praised by enthusiasts. However, with Geobox, it is transformed “into a potent weapon for digital deception.” Malicious software is specifically designed for the Raspberry Pi 4 Model B with at least 4GB of RAM.

With Geobox, malicious actors target a broad audience as the setup process is streamlined, clear, and concise, with easy-to-follow instructions also provided. The manual links to the official Raspberry website for OS installation.

Multiple tools are included with Geobox: multiple VPN connections, GPS and Wi-Fi emulation, DNS configuration, data substitution tools, network configurators, and others.

GEOBOX Feature Set
Image by Resecurity.

“The device's functionality is diverse, allowing for various forms of digital manipulation and disguise. Key features include the ability to use WebRTC IP for discreet online communication and GPS spoofing to simulate different geographical locations, which is particularly valuable for activities that require geolocation manipulation. Furthermore, the Geobox can mask Wi-Fi MAC addresses, making the user's network activity more difficult to trace.” Resecurity said.

The emergence of Geobox raises significant concerns and introduces new complexities for cybersecurity.

Armed with such a weapon, cybercriminals can carry and coordinate various attacks, such as identity theft and credit card fraud under the veil of anonymity, circumventing network restrictions and surveillance, malware distribution, credential stuffing, spreading misinformation, content piracy, etc.

Resecurity observed the bad actor using Geobox in combination with two LTE-based wireless modems, “proxyfying connections via multiple chains of SOCKS and PROXY servers.” Leveraging several devices deployed in various locations using this model may create a significant challenge in tracing cybercriminals using it.

“Once the malicious action has been conducted – they either wipe the device or destroy it physically and move it to other locations.”