IOTW: Microsoft links Raspberry Robin malware to hacking group EvilCorp

Microsoft has linked a USB-based worm malware, referred to as Raspberry Robin, to attacks executed by Russian hacking group EvilCorp.

Microsoft explained in a recent report that on July 26, 2022, its researchers discovered “FakeUpdates malware being delivered via existing Raspberry Robin infections”. The FakeUpdates malware associated with DEV-0206 is a malvertising access broker that poses as a software or browser update and tricks victims into clicking on it. This then allows the bad actors to gain access to profile networks via a JavaScript file stored inside a Zip file, which downloads when the false update is clicked. As JavaScript files typically run when double-clicked, this allows the JavaScript file to run on the victim’s computer.

The DEV-0206 activity was tracked by Microsoft, who revealed that the “activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior.” This DEV-0243 behavior is linked to activity perpetrated by hacking group EvilCorp.

What is EvilCorp?

EvilCorp is a hacking group notorious for developing and releasing Dridex malware, which can infect computers and harvest login details for banks and other financial institutions. In a press release from 2019, the US Department of the Treasury said that this malware had been used in more than 40 countries to steal more than US$100m.

What is Raspberry Robin?

Raspberry Robin was originally discovered by cyber security company Red Canary in September 2021 after noticing and tracking a cluster of activity caused by the worm.

Raspberry Robin is installed on computers via a compromised USB, which then introduces the worm to the computer’s system. The worm then goes on to read and execute a malicious file stored on the USB drive, which, if successful, downloads, installs and executes a malicious dynamic-link library file (.dll). Finally, the worm repeatedly attempts to execute outbound connections, typically to The Onion Routing (TOR) nodes. TOR nodes can conceal a user’s location from the connection destination.

Red Canary reported that it had seen Raspberry Robin activity in organizations linked to the manufacturing and technology sectors, although the company noted that it was unclear as to whether there was any connection between the companies affected by the malware. 

Discussing the purpose of the Raspberry Robin worm when it was first discovered, Red Canary admitted that it was unsure “how or where Raspberry Robin infects external drives to perpetuate its activity”, though the company suggested that this “occurs offline or otherwise outside of our visibility”.

The organization also said that its “biggest question concerns the operators’ objectives”. This uncertainty is due to a lack of information on later-stage activity, meaning Red Canary are unable to “make inferences on the goal or goals of these campaigns”. The company did say, however, that it hoped the information uncovered on Raspberry Robin will help in wider efforts when detecting and tracking Raspberry Robin activity. 

You May Also Like

  • Blizzard Entertainment hit by DDoS attack

  • IOTW: A full timeline of the MOVEit cyber attack

  • PwC and EY impacted by MOVEit cyber attack

  • BlackCat threatens to leak 80GB of Reddit data