Microsoft researchers said last week that there might be a possible linkage between the Raspberry Robin malware and the Russian-based malicious threat group Evil Corp. Based on reports, several FakeUpdates malware were found being transmitted through the Raspberry infection that happened last month.
Evil Corp was the unnamed access broker for the malware infection last July. This Russian cybercriminal group is known as DEV-0206 and DEV-0243.
The discovery suggests that the threat actors that manipulated the Raspberry Robin may strongly connect with DEV-0243 and DEV-0206. Russia’s Evil Corp is a cybercriminal organisation that utilised Raspberry Robin’s DEV-0243 access to infect enterprise networks for spreading the Dridex malware.
Dridex malware was the primary malware that Evil Corp used in their past attacks a few months ago. Therefore, the affiliation of the group and the malware was further proven by this detail.
Raspberry Robin has a different target selection, corresponding to Evil Corp’s latest victims.
Researchers witnessed several Raspberry Robin activities that target networks owned by the customers of a particular tech company and manufacturing sectors.
In September last year, the Raspberry Robin malware was first identified, having its primary vector for malware distribution through compromised USB devices. Once deployed on an impacted system, these infected USBs contained a malicious LNK file to other devices on a target’s network.
Subsequently, the worm produces a new process using the cmd[.]exe to run a malicious file stored on the infected device after the malware attachment.
DEV-0206 then launches FakeUpdates by deceiving targets into downloading hostile browser updates in the form of ZIP archives. The malware then utilises the access provided by DEV-0206 to disseminate the payloads.
The Raspberry Robin malware appears to be a worm-like Windows malware distributed through several external malicious USB drives. The malware has also been affiliated with numerous malicious activities of several threat actors, making it harder for researchers to pinpoint its exact operators.
Researchers highlighted that the central issue of this Raspberry Robin is that it deployed hundreds or thousands of infected USBs in the wild that can download arbitrary payloads from several domain names. These domain names also pose a considerable risk since threat actors can easily hijack them.
