Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers

Microsoft on Friday revealed a possible connection between the Raspberry Robin USB worm and the notorious Russian cybercrime group Evil Corp.

The tech giant said it noticed the FakeUpdates (also known as SocGholish) malware being delivered via existing Raspberry Robin infections on July 26, 2022.

Raspberry Robin, also known as QNAP Worm, is known to spread from a compromised system via infected USB devices containing malicious .LNK files to other devices in the target network.

cyber security

The campaign, first spotted by Red Canary in September 2021, has been elusive as no later-stage activity has been documented and there has been no concrete association with an actor or known threat group.

Therefore, the detection represents the first evidence of the post-exploit actions taken by a threatened actor when taking advantage of malware to gain initial access to a Windows device.

Microsoft noted that “FakeUpdates activity associated with DEV-0206 on affected systems has since resulted in follow-up actions similar to that of DEV-0243 pre-ransomware.”

Raspberry Robin USB Worm

DEV-0206 is the Redmond nickname for an initial access broker that propagates a malicious JavaScript framework called FakeUpdates by prompting targets to download fake browser updates in the form of ZIP archives.

In essence, the malware acts as a conduit for other campaigns that take advantage of this access purchased from the DEV-0206 to distribute other payloads, primarily Cobalt Strike loaders attributed to DEV-0243, also known as Evil Corp.

Referred to as Gold Drake and the Indrik Spider, the financially motivated hacking group historically ran the Dridex malware and has since switched to spreading a series of ransomware families over the years, including most recently LockBit.

cyber security

“The use of a RaaS payload by the EvilCorp activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their approved status,” Microsoft said.

It’s not immediately clear what exact connections Evil Corp, DEV-0206, and DEV-0243 may have with each other.

In a joint statement with The Hacker News, Katie Nichols, director of intelligence at Red Canary, said the findings, if proven correct, would fill a “major gap” with the Raspberry Robin’s modus operandi.

“We are still seeing Raspberry Robin’s activity, but we have not been able to link it to any specific person, company, entity or country,” Nichols said.

“Ultimately, it is too early to say whether Evil Corp is responsible for or associated with Raspberry Robin. Ransomware-as-a-Service (RaaS) is a complex system, in which different criminal groups cooperate with each other to achieve a variety of goals. As a result, it can be difficult to untangle the relationships between malware families and observed activity.”

Leave a Reply

%d bloggers like this: