Microsoft disclosed Raspberry Robin USB-based Worm can have a connection with pro-Russian hacker group Evil Corp
Microsoft disclosed a connection between the Raspberry Robin USB-based Worm, a newly discovered high-risk worm, and a Russian cybercrime group tracked as Evil Corp. According to the corporation FakeUpdates malware, a downloader written in JavaScript that communicates via HTTP was being delivered via Raspberry Robin infected system.
Raspberry Robin or QNAP Worm is observed to spread from compromised systems to targeted devices under enterprise networks via infected USB devices containing malicious a .LNK files. Red Canary, the cybersecurity management firm linked the Raspberry Robin campaign to a known threat actor. They observed the disclosure marks in the compromised Windows devices which were exploited to leverage malware into the internal system.
Microsoft said, “The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior.” DEV-0206 is observed to deploy a malicious JavaScript framework named FakeUpdates to download fake browser updates. The malware let other threat actors enter the system by acting as a mediator. It let other campaigns distribute other payloads that have been purchased from DEV-0206.
According to Microsoft, “The use of a RaaS payload by the ‘EvilCorp’ activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status.”
However, Microsoft didn’t clearly state what specific connection it serves with Evil Corp and DEV-0206 but previously Cobalt Strike loaders have been observed to be attributed to DEV-0243, which was operational by Evil Corp.
Red Canary’s director of intelligence said, “We continue to see Raspberry Robin activity, but we have not been able to associate it with any specific person, company, entity, or country…Ultimately, it’s too early to say if Evil Corp is responsible for, or associated with, Raspberry Robin. The Ransomware-as-a-Service (RaaS) ecosystem is a complex one, where different criminal groups partner with one another to achieve a variety of objectives. As a result, it can be difficult to untangle the relationships between malware families and observed activity.”
