Raspberry Robin Malware Connected to Russian Evil Corp Gang

  /     /     /  
Publicated : 23/11/2024   Category : security


Raspberry Robin Malware Connected to Russian Evil Corp Gang


Infections attributed to the USB-based worm have taken off, and now evidence links the malware to Dridex and the sanctioned Russian cybercriminal group Evil Corp.



Raspberry Robin, a widespread USB-based worm that acts as a loader for other malware, has significant similarities to the Dridex malware loader, meaning that it can be traced back to the sanctioned Russian ransomware group Evil Corp.
Researchers from IBM Security reversed engineered two dynamic link libraries (DLLs) dropped during a Raspberry Robin infection and compared them to the Dridex malware loader, which is a tool that has been definitively linked to Evil Corp. in the past — in fact, the US Department of the Treasury
sanctioned the Russia-based Evil Corp
for developing Dridex in 2019.
They found that the decoding algorithms worked similarly, using random strings in the portable executables as well as having an intermediate loader code that decoded the final payload in a similar manner and contained anti-analysis code.
The results show that they are similar in structure and functionality, Kevin Henson, a malware reverse engineer at IBM Security, wrote in
the analysis
. Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks.
Security firm Red Canary
first analyzed and named Raspberry Robin
in May. Soon after, it came to the attention of other researchers, including IBM Security.
The worm spreads quickly throughout internal networks, hitchhiking on
USB devices
passed between workers. While Raspberry Robin relies on social engineering techniques to convince victims to plug in an infected USB device, infections took off during the summer, with 17% of IBM Securitys managed clients in targeted industries seeing infection attempts.
However, the malware puzzled researchers initially, because it simply hibernated on infected systems and appeared to have no second-stage payload. In July that changed: IBM and Microsoft researchers discovered that infected systems had begun downloading the
FakeUpdates malware
, typically a precursor to ransomware used by Evil Corp.
FakeUpdates, also known as SocGhoulish,
masquerades as a legitimate software update
, but installs popular attack software such as Cobalt Strike and Mimikatz, or ransomware, on the victims computer.
Microsoft noted at the time that FakeUpdates is usually attributed to an access broker that the company tracks as DEV-206. If Evil Corp is
distributing FakeUpdates through existing Raspberry Robin infections
as suspected, it suggests a close partnership between the access broker and Evil Corp.
Historical analysis indicates that the Raspberry Robin activity can be traced as far back as September 2021. The malware is typically used against manufacturing, technology, oil and gas, and transportation industries.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Raspberry Robin Malware Connected to Russian Evil Corp Gang