Raspberry Robin operators are selling initial access to compromised enterprise networks to ransomware gangs

Pierluigi Paganini October 27, 2022

DEV-0950 group used Clop ransomware to encrypt the network of organizations previously infected with the Raspberry Robin worm.

Microsoft has discovered recent activity that links the Raspberry Robin worm to human-operated ransomware attacks. 

Data collected by Microsoft Defender for Endpoint shows that nearly 3,000 devices in almost 1,000 organizations have seen at least one RaspberryRobin payload-related alert in the last 30 days.

The experts noticed that threat actors tracked as DEV-0950 used Clop ransomware to encrypt the network of organizations previously infected with the worm.

In October 2022, the malware was used in post-compromise activity attributed to another actor, DEV-0950 (which overlaps with FIN11/TA505 cybercrime gang). The DEV-0950 attacks led to the deployment of the Cobalt Strike beacon. In some cases, the attackers delivered the Truebot malware between the Raspberry Robin infection and the Cobalt Strike deployment.

Beginning on September 19, 2022, experts observed the worm infections deploying IcedID, Bumblebee and TrueBot payloads. The final-stage malware was the Clop ransomware.

On July 26, 2022, Microsoft researchers discovered that the FakeUpdates malware was being distributed via Raspberry Robin malware. Microsoft experts observed the threat actor DEV-0206 using the worm to deploy a downloader on networks that were also compromised by threat actors using Evil Corp TTPs.

DEV-0206 is an access broker tracked by Microsoft, which uses malvertising campaigns to compromise networks worldwide.

The discovery made by Microsoft is very interesting because it is the first time that researchers found evidence that worm operators leverage an access broker to compromise enterprise networks.

“DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages.” reads the report published by Microsoft. “Given the interconnected nature of the cybercriminal economy, it’s possible that the actors behind these Raspberry Robin-related malware campaigns—usually distributed through other means like malicious ads or email—are paying the Raspberry Robin operators for malware installs.”

The researchers speculate the operators behind Raspberry Robin are selling initial access to compromised enterprise networks to affiliates of ransomware gangs.

Raspberry Robin

Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable USB devices.

The malicious code uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure.

The malware was first spotted in September 2021, the experts observed Raspberry Robin targeting organizations in the technology and manufacturing industries. Initial access is typically through infected removable drives, often USB devices.

raspberry robin

The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.

Then msiexec.exe launches a legitimate Windows utility, fodhelper.exe, which in turn run rundll32.exe to execute a malicious command. Experts pointed out that processes launched by a fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt.

“Given the previously documented relationship between RaspberryRobin and DEV-0206/DEV-0243 (EvilCorp), this behavioral similarity in the initial vector for Raspberry Robin infections adds another piece of evidence to the connection between the development and propagation of Fauppod/Raspberry Robin and DEV-0206/DEV-0243.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment