"Raspberry Worm Exposes Larger, More Complex Malware Ecosystem"

Raspberry Robin has quickly evolved from a worm that, while widely distributed, did not show any post-infection actions to an active malware distribution platform, just a few months after its discovery by Red Canary researchers in May 2022. Microsoft has discovered new evidence that the Raspberry Robin worm is a part of a complex and interconnected malware ecosystem, consisting of links to other malware families and alternate infection methods beyond its original spread via USB drives. Following these infections, hands-on-keyboard attacks and human-operated ransomware activity occur. Continuous monitoring of Raspberry Robin-related activity reveals an active operation, with nearly 3,000 devices in nearly 1,000 organizations receiving at least one Raspberry Robin payload-related alert in the last 30 days. The researchers found that Raspberry Robin-infected devices were being installed with FakeUpdates malware, leading to activity by DEV-0243, a ransomware-associated activity group that overlaps with the actions of EvilCorp. Raspberry Robin has begun deploying IcedID, Bumblebee, and Truebot. By October, the researchers had discovered Raspberry Robin being used in post-compromise activity linked to another actor, DEV-0950, which overlapped with groups publicly tracked as FIN11/TA505. The DEV-0950 activity resulted in Cobalt Strike hands-on-keyboard compromises after a Raspberry Robin infection, sometimes with a Truebot infection seen in between the Raspberry Robin and Cobalt Strike stages. Clop ransomware was then deployed, signaling a significant shift away from phishing and toward using Raspberry Robin to deliver payloads to existing infections. Since the cybercriminal economy is so intertwined, Microsoft speculated that the actors behind the Raspberry Robin-related malware campaign, which is typically distributed via other means such as malicious ads or email, could be paying the Raspberry Robin operators for malware installs. This article continues to discuss the exposure of a more complex malware ecosystem by the Raspberry Robin worm. 

Security Boulevard reports "Raspberry Worm Exposes Larger, More Complex Malware Ecosystem"