Microsoft Details Threat Actors Leveraging Raspberry Robin Worm

Microsoft said that a cybercriminal group has deployed Clop encryption malware on those previously affected by the Raspberry Robin worm.

The company detailed its findings in a Thursday report and said its threat team has seen almost 1,000 organizations infected with the follow-up ransomware in the last month.

"Raspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red Canary first reported it in May 2022, to one of the largest malware distribution platforms currently active," wrote Microsoft.

Raspberry Robin is a sophisticated worm that needs multiple intrusions and compromised credentials to tunnel into a targeted system. The malware has been observed infecting systems through malicious USB drives containing the Windows shortcut (LNK) file disguised as a folder. Both tricking the user to click on the link and autorun of the harmful LNK file is necessary for infection.

The group deploying the Clop ransomware, which encrypts a targeted system with the aid of Raspberry Robin, has been identified by Microsoft as DEV-0950. According to Microsoft, the group had previously been linked with the use of the Truebot malware, and had typically used phishing techniques. This month saw a shift in the group's approach, as it leveraged the Raspberry Robin worm to deploy Clop, with the end goal of extorting money from its victims to unencrypt affected systems. The group's geographic location is currently unknown.

How exactly the worm is being taken advantage of by the group is still not clear. But Microsoft theorizes that DEV-0950 is paying the Raspberry Robin operators to piggy-back their ransomware on the already infected targets.

DEV-0950 might not be the only group to take advantage of Raspberry Robin's system of infected targets. "The Raspberry Robin implant has also started to distribute other malware families, which is not uncommon in the cybercriminal economy, where attackers purchase 'loads' or installs from operators of successful and widespread malware to facilitate their goals," wrote Microsoft.

Microsoft said its security experts have also observed the malware family Fauppod being delivered through leveraging Raspberry Robin. Fauppod operates like the popular malware family FakeUpdates by creating a JavaScript backdoor on a system. Once installed, additional malware or unauthorized access to a system can be achieved.

This won't be the end of attackers leveraging Raspberry Robin, and Microsoft said that despite the somewhat complex process of infection, attackers are still finding widespread success, and will continue to expand its victims due to current successes.

"Almost every organization risks encountering these threats, including Fauppod/Raspberry Robin and FakeUpdates," wrote Microsoft. "Developing a robust protection and detection strategy and investing in credential hygiene, least privileges, and network segmentation are keys to preventing the impact of these complex and highly connected cybercriminal threats."

For its part, the company said that Microsoft Defender for Endpoint and Microsoft Defender Antivirus can detect Raspberry Robin and many of the follow-up threats like Clop and Fauppod. It also recommends that organizations turn on the attack surface reduction rules to limit their overall exposure to these and other threats.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube