Microsoft’s security team this week released evidence linking Raspberry Robin malware to Russian cybercrime syndicate Evil Corp. get in touch.
In an update to a May report on the ransomware-as-a-service industry, Microsoft Threat Intelligence Center (MSTIC) said some existing Raspberry Robin infections are being used to deliver FakeUpdates, an active malware downloader believed to be bundled with Evil Corp.
Raspberry Robin was discovered in September 2021 by researchers at cybersecurity firm Red Canary, who coined the name for the activity cluster they saw.
The activity involved a worm that is commonly installed via USB drives and relies on msiexec.exe to invoke its infrastructure, which Red Canary says is often associated with compromised QNAP devices.
Microsoft said its researchers discovered on July 26 that the FakeUpdates malware was being delivered via existing Raspberry Robin infections.
“The FakeUpdates activity associated with DEV-0206 on affected systems has since resulted in follow-up actions that are similar to the behavior of DEV-0243 before the ransomware.”
Microsoft designates Evil Corp as DEV-0243 and DEV-0206 is an unnamed access broker identified by the company.
BleepingComputer reported earlier this month that Microsoft sent a private threat intelligence advisory to Microsoft Defender for Endpoint subscribers, stating that the Raspberry Robin worm was found on Windows devices on networks belonging to hundreds of organizations across dozens of industries.
Cybersecurity company Sekoia has published its own report confirming that it found Raspberry Robin on QNAP NAS devices. In Red Canary’s first report on Raspberry Robin, they noted that it was aimed at organizations with connections to technology and manufacturing.
Katie Nickels, director of intelligence at Red Canary, told The Record that Microsoft’s finding, if true, has filled a “major gap” with Raspberry Robin, as no one has previously spotted any later-stage activity or found evidence, which they associate with a person or entity.
“Many organizations observed and publicly discussed the initial execution behavior of Raspberry Robin, but a large gap remained as no one seemed to observe later-stage activity — such as an eventual payload,” said Nickels.
“Microsoft’s finding that Raspberry Robin deployed malware called FakeUpdates/SocGholish is an interesting development. Microsoft certainly has credibility, but we cannot independently verify their claim at this time.”
Nickels added that it continues to see Raspberry Robin activity but is unable to link it to any specific person, company, organization or country, noting that it is “too early to to say if Evil Corp is responsible or with Raspberry Robin.”
She explained that the ransomware-as-a-service ecosystem is complex and different criminal groups often work together to achieve a variety of goals, making it difficult to map out relationships between malware families and observed activities.
“Microsoft’s findings suggest that the adversaries behind Raspberry Robin may have some sort of relationship with DEV-0206 and DEV-0243, two groups being tracked by Microsoft, but the exact nature of that relationship is unclear,” he said you.
According to Nickels, Red Canary has not directly observed Raspberry Robin propagating FakeUpdates and is not aware of any clear connection to Evil Corp, DEV-0206 or DEV-0243.
“But we’re watching to see if more evidence emerges to solidify these relationships, or if these are just one-off occurrences,” she said.
Félix Aimé, member of the Threat Intelligence Team at Sekoia, written down that the main problem with Raspberry Robin revolves around the fact that thousands of infected USB devices are out in the wild and “can download arbitrary payloads from dozens of domain names that can be easily hijacked or repurposed by malicious actors”.
Evil Corp is known for its ties to several ransomware groups – including Bitpaymer, DopplePaymer, WastedLocker, and Clop – as well as other cybercrime activities. It was sanctioned by the US Treasury Department in December 2019.
In Microsoft’s report this week, the company noted that Evil Corp has begun deploying the LockBit 2.0 RaaS payload during attacks, “probably in an attempt…to avoid attribution to their group, which due to their sanctioned status discourage payment.” could”.
#Microsoft #links #Raspberry #Robin #malware #cybercrime #syndicate #Evil #Corp
Leave a Comment