Just a few months after its discovery by Red Canary researchers in May 2022, Raspberry Robin has rapidly evolved from a worm that was widespread but showed no post-infection actions to a widespread and active platform for spreading malware.
“Microsoft has recently discovered activity that suggests the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with ties to other malware families and alternative methods of infection that extend beyond its original USB drive prevalence. These infections lead to subsequent hands-on-keyboard attacks and human-powered ransomware activities,” according to a Microsoft security service to blog.
“Our continued tracking of Raspberry Robin-related activity also shows very active operations,” the researcher said, with “nearly 3,000 devices in nearly 1,000 organizations.” [having] Have seen at least one payload-related Raspberry Robin alert in the last 30 days.”
The researchers found that devices infected with Raspberry Robin were installed Fake updates Malware – which led to activity by DEV-0243“a ransomware-associated activity group that overlaps with actions tracked by vendors other than EvilCorp was first observed deploying the LockBit ransomware-as-a-service (RaaS) payload in November 2021,” the researchers wrote. “Since then, based on our research, Raspberry Robin has also started using IcedID, Bumblebee, and Truebot.”
In October, “researchers observed that Raspberry Robin was used in post-compromise activities attributed to another actor, DEV-0950 (which overlaps with groups publicly tracked as FIN11/TA505),” Microsoft said. “From a Raspberry Robin infection, DEV-0950 activity led to Cobalt Strike hands-on-keyboard compromises, sometimes with a Truebot infection observed between the Raspberry Robin and Cobalt Strike phases.”
From there, Clop ransomware was deployed, marking a notable shift from phishing “to using Raspberry Robin…to provide payloads for existing infections and to more rapidly shift their campaigns into ransomware stages,” the researchers noted.
Because the cybercriminal economy is so interconnected, Microsoft posited that the actors behind the Raspberry Robin-related malware campaigns — which are typically distributed through other means such as malicious ads or email — “make the Raspberry Robin operators responsible for the installation of malware could pay”.
Raspberry Robin attacks “involve multi-step intrusions, and post-compromise activities require access to highly privileged credentials to have widespread impact,” Microsoft researchers wrote.
“The evolution of the Raspberry Robin worm and its connection to a larger cybercriminal ecosystem is another example of how threat actors have matured their business models,” said Mike Parkin, senior technical engineer at Vulcan Cyber.
“As our defenses have improved, the threats have become correspondingly more sophisticated and complex,” Parkin said. “We are not dealing with isolated threat actors. We’re not dealing with script kiddies showing off by defacing websites. We are dealing with a criminal ecosystem that sometimes receives support from state-level agencies and leverages business models that mature and evolve over time.”
The development of Raspberry Robin has security experts confused. “Just when we thought nothing else could stop us from ransom, we’re now seeing ransomware delivery systems increasing their sophistication and integrating with their counterparts,” said Andrew Barratt, vice president at Coalfire.
“Originally delivered via USB, Raspberry Robin would have had a slow infection rate (slow in a linear sense). The malware is something of a leatherman of the underworld with ransomware capabilities as well as multi-tier dropper capabilities that allow it to quickly become a vehicle for further compromises,” Barratt said. “Now that it’s being powered by the FakeUpdates malware, we could see widespread campaigns leveraging the drive-by download capabilities coupled with the broad capabilities of Raspberry Robin.”
Barratt called this “a form of vertical integration with the malware community,” with FakeUpdates providing initial access and deployment, and then “Raspberry Robin, which provides extensive post-initial access capabilities for either rapid monetization or more.” compromise offers”.
That combination, he said, “could easily disguise itself as a harmless browser update, and an unsuspecting user could find themselves the target of a payload that’s obfuscated enough to evade a local AV tool.”