Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable USB devices.
The malicious code uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure.
The malware was first spotted in September 2021, the experts observed Raspberry Robin targeting organizations in the technology and manufacturing industries. Initial access is typically through infected removable drives, often USB devices.
The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.
Then msiexec.exe launches a legitimate Windows utility, fodhelper.exe, which in turn run rundll32.exe to execute a malicious command. Experts pointed out that processes launched by fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt.
Now, Microsoft experts observed the threat actor DEV-0206 using the Raspberry Robin worm to deploy a downloader on networks that were also compromised by threat actors using Evil Corp TTPs.
“On July 26, 2022, Microsoft researchers discovered the FakeUpdates malware being delivered via existing Raspberry Robin infections,” reads the update provided by Microsoft.
“The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior.”
In many cases, the infection process led to the deployment of custom Cobalt Strike loaders attributed to DEV-0243, which falls under activities tracked by the experts “EvilCorp,”
Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload, experts believe that DEV-0243 threat actors used a RaaS payload by the “EvilCorp” activity group to avoid attribution.
The discovery made by Microsoft is very interesting because it is the first time that the researchers found evidence that Raspberry Robin operators leverage an access broker to compromise enterprise networks.
CybercrimeEvil CorpHackinghacking newsinformation security newsIT Information SecuritymalwarePierluigi PaganiniRaaSraspberry robinSecurity AffairsSecurity News
You might also like
August 8, 2022 By Pierluigi Paganini
Strong Authentication - Robust Identity and Access Management Is a Strategic ChoicePasswords no longer meet the demands of today’s identity and access requirements. Therefore, strong authentication methods...
Copyright 2021 Security Affairs by Pierluigi Paganini All Right Reserved.Back to top
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.