Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints
The?Raspberry Robin?worm is becoming an access-as-a-service malware for deploying other payloads, including?IcedID,?Bumblebee,?TrueBot?(aka Silence), and?Clop ransomware.
It is "part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread," the Microsoft Security Threat Intelligence Center (MSTIC)?said?in a detailed write-up.
Raspberry Robin, also called QNAP Worm owing to the use of compromised QNAP storage servers for command-and-control, is the name given to a malware by cybersecurity company Red Canary that spreads to Windows systems through infected USB drives.
MSTIC is keeping tabs on the activity group behind the USB-based Raspberry Robin infections as?DEV-0856, adding it's aware of at least four confirmed entry points that all have the likely end goal of deploying ransomware.
The latest development adds to growing evidence of post-exploitation activities linked to Raspberry Robin, which, in July 2022, was?discovered?acting as a conduit to deliver the FakeUpdates (aka SocGholish) malware.
This FakeUpdates activity has also been followed by pre-ransomware behavior attributed to a threat cluster tracked by Microsoft as DEV-0243 (aka Evil Corp), the infamous Russian cybercrime syndicate behind the Dridex trojan and a command-and-control (C2) framework called?TeslaGun.
领英推荐
What's more, a cybercriminal actor dubbed DEV-0651 has been linked to the distribution of another artifact called Fauppod through the abuse of legitimate cloud services, which exhibits code similarities to Raspberry Robin and also drops the FakeUpdates malware.
The Windows maker further noted wih medium confidence that Fauppod represents the earliest known link in the Raspberry Robin infection chain for propagating the latter via LNK files to USB drives.
To add to the attack puzzle, IBM Security X-Force, early last month,?identified?functional similarities between a loader component used in the Raspberry Robin infection chain and the Dridex malware. Microsoft is attributing this code-level connection to Fauppod adopting Dridex's methods to avoid execution in specific environments.
"Raspberry Robin's infection chain is a confusing and?complicated map?of multiple infection points that can lead to many different outcomes, even in scenarios where two hosts are infected simultaneously,"
For Further Reference