This article is more than 1 year old

This Windows worm evolved into slinging ransomware. Here's how to detect it

Raspberry Robin hits 1,000 orgs in just one month

Raspberry Robin, a worm that spreads through Windows systems via USB drives, has rapidly evolved: now backdoor access is being sold or offered to infected machines so that ransomware, among other code, can be installed by cybercriminals.

In a report on Thursday, Microsoft's Security Threat Intelligence unit said Raspberry Robin is now "part of a complex and interconnected malware ecosystem" with links to other families of malicious code and ties to ransomware infections.

Ultimately, Raspberry Robin first appeared to be a strange worm that spread from PC to PC with no obvious aim. Now whoever is controlling the malware is seemingly using it to offer access to infected machines so that other software nasties can be deployed, such as ransomware, by other miscreants.

"Raspberry Robin's infection chain is a confusing and complicated map of multiple infection points that can lead to many different outcomes, even in scenarios where two hosts are infected simultaneously," the Microsoft researchers wrote.

"There are numerous components involved; differentiating them could be challenging as the attackers behind the threat have gone to extreme lengths to protect the malware at each stage with complex loading mechanisms."

According to data collected by Microsoft's Defender for Endpoint tool, almost 3,000 devices in about 1,000 organizations have experienced at least one alert about a malicious payload related to Raspberry Robin in the past 30 days.

"Raspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red Canary first reported it in May 2022, to one of the largest malware distribution platforms currently active," they wrote.

Red Canary researchers first observed Raspberry Robin activities in September 2021. The malware was a worm typically installed via a removable USB device and used compromised QNAP storage servers for its backend command-and-control (C2) servers.

A Raspberry Robin infected USB stick contains .lnk file that looks like a legitimate folder. The drive may be set up to auto-run that file – which organizations can block – or the user is tricked into double-clicking on the link file. That .lnk file then runs commands to fetch and execute from a C2 server the main malware code on the victim's PC.

See the above Microsoft post for technical details on how to detect a Raspberry Robin intrusion. A PC is infected after inserting the USB drive and/or running the .lnk file. Some infections occurred without a link file and USB drive, though, indicating there is more than one way to catch Raspberry Robin.

It's only getting worse

Microsoft, IBM, and Cisco have been tracking Raspberry Robin and its evolution. Two months after Red Canary's report, Microsoft detected Raspberry Robin – which the IT giant is tracking as DEV-0856 – installing on compromised computers the FakeUpdates (also known as SocGolish) backdoor malware, which is also used by Evil Corp – a Russian cybercrime group tracked by Microsoft as DEV-0243 that spreads the Dridex banking trojan.

Raspberry Robin also has been used to deploy the IdedID (or BokBot banking trojan), malware loader Bumblebee, and the Truebot trojan. Scumbags also have ordered it to run LockBit ransomware and now Clop ransomware on hijacked machines, according to the Microsoft analysts.

It gets worse. This month, Microsoft saw Raspberry Robin being used by a crew tracked as DEV-0950, which overlaps with gangs tagged as FIN11 and TA505. After Raspberry Robin infects a PC, DEV-0950 uses it to run Cobalt Strike – and occasionally Truebot – according to Microsoft. Eventually, Clop is executed on the victim's computer. Raspberry Robin has been a boon for these miscreants, according to the Microsoft researchers.

"DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages," they wrote.

"Given the interconnected nature of the cybercrime economy, it's possible that the actors behind these Raspberry Robin-related malware campaigns – usually distributed through other means like malicious ads or email – are paying the Raspberry Robin operators for malware installs."

In July Microsoft found that Fauppod – malware distributed by another group called DEV-0651 from Azure and Discord – has similar code to Raspberry Robin. It also has delivered FakeUpdates backdoors.

IBM's Security X-Force in September found other connections between Raspberry Robin and Dridex – including similarities in structure and functionality – between a Raspberry Robin DLL and a Dridex malware loader.

"Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same group behind the Dridex Malware, suggesting that Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks," wrote Kevin Henson, a malware reverse engineer, and Emmy Ebanks, a cyberthreat responder, with IBM.

It's expected that the malware will continue to morph into an increasingly dangerous threat, according to Microsoft.

"While Raspberry Robin seemed to have no purpose when it was first discovered, it has evolved and is heading towards providing a potentially devastating impact on environments where it's still installed," the analysts wrote.

"Raspberry Robin will likely continue to develop and lead to more malware distribution and cybercriminal activity group relationships as its install footprint grows." ®

More about


Send us news

Other stories you might like