IBM Security X-Force researchers discovered similarities between a component used in the Raspberry Robin malware and a Dridex malware loader, which was part of the malicious operations of the cybercrime gang Evil Corp.
Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable USB devices.
The malicious code uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure.
The malware was first spotted on September 2021, the experts observed it targeting organizations in the technology and manufacturing industries. Initial access is typically through infected removable drives, often USB devices.
In July, Microsoft observed the threat actor DEV-0206 using the same malware to deploy a downloader on networks that were also compromised by threat actors using Evil Corp TTPs.
“On July 26, 2022, Microsoft researchers discovered the FakeUpdates malware being delivered via existing Raspberry Robin infections,” reads the update provided by Microsoft.
“The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior.”
In many cases, the infection process led to the deployment of custom Cobalt Strike loaders attributed to DEV-0243, which falls under activities tracked by the experts “EvilCorp,”
Now IBM Security X-Force researchers announced to have found evidence that Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks.
“Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality.” reported IBM. “Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group ‘Evil Corp,’ which is the same group behind the Dridex Malware, suggesting that Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks.”
The RaspberryRobin loaders are DLLs that decode and execute an intermediate loader that is able to perform hook detection to avoid detection. The intermediate loader also decodes its strings at runtime and then decodes a highly obfuscated DLL, but its purpose is still unclear.
The similarities between a 32-bit version of the Raspberry Robin loader and a 64-bit Dridex loader are related to in functionality and structure, they also employ a similar technique to decode the final payload, and for anti-analysis.
IBM shared the following tips to prevent Raspberry Robin infections:
(SecurityAffairs – hacking, Evil Corp)