IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group ‘Evil Corp,’ which is the same group behind the Dridex Malware, suggesting that Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks.
When Raspberry Robin infection attempts were first observed impacting a few IBM Security MDR customers in mid-May 2022, the enigmatic worm activity began to quickly spread within a client’s network from users sharing USB devices. The infections spiked in early June and by early August spikes of Raspberry Robin infection attempts were observed in 17% of worldwide MDR clients in the oil and gas, manufacturing, and transportation industries. This number is significant as historically less than 1% of MDR clients have seen the same strain of malware.
Raspberry Robin and Evil Corp Connection
The ultimate objective of Raspberry Robin had been unknown. Microsoft researchers observed millions of Raspberry Robin infections, but no evidence of post-infection exploits had been seen in the wild until July 26, 2022, when Microsoft disclosed that they had uncovered existing Raspberry Robin infections delivering FAKEUPDATES malware (aka SocGholish).
The disclosure by the Microsoft threat researchers revealed that the “… DEV-0206-associated FAKEUPDATES activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior.” This statement indicates a possible relationship between Raspberry Rob ..
Support the originator by clicking the read the rest link below.
