”Evidence links the USB-based worm to Dridex and the Russian cybercriminal entity Evil Corp.
Similarities between the Raspberry Robin USB-based worm and the Dridex malware loader suggest that it originated with the banned Russian ransomware gang Evil Corp.
IBM Security reverse-engineered two DLLs delivered by Raspberry Robin and compared them to the Dridex malware loader, a tool previously associated to Evil Corp. (the US Department of the Treasury sanctioned the Russia-based Evil Corp. for generating Dridex in 2019).They discovered that the decoding algorithms were very similar to one another, with anti-analysis code present in the intermediate loader code and the use of random strings in the portable executables.
Kevin Henson, a malware reverse engineer at IBM Security, said that “the results suggest that they are comparable in structure and behavior.” Attacks by “Evil Corp” are “likely being executed utilizing Raspberry Robin infrastructure.
Fledgling Raspberry Robin Takes Off
In May, Raspberry Robin was initially studied and given a name by security firm Red Canary. Others in the scientific community quickly caught wind of it, with IBM Security among them.
The worm travels swiftly across corporate networks by infecting shared USB drives. 17% of IBM Security’s managed clients in targeted industries saw infection attempts this summer, despite the fact that Raspberry Robin depends on social engineering techniques to convince victims to put in an infected USB device.
Researchers were first baffled by the malware because it seemed to do nothing malicious once it had infected a device; instead, it just went into hibernation. In July, though, researchers from IBM and Microsoft found that affected PCs had began installing FakeUpdates malware, a common precursor to Evil Corp’s ransomware.
FakeUpdates, also known as SocGhoulish, is malware that seems to be an important software update but instead installs malicious software, such as ransomware or the widely used attack programs Cobalt Strike and Mimikatz, on the victim’s machine.
Microsoft stated back then that FakeUpdates is commonly blamed on an access broker the company monitors under the identifier DEV-206. If the speculation that Evil Corp is spreading FakeUpdates via pre-existing Raspberry Robin infections is correct, then it is likely that the access broker is working closely with Evil Corp.
A look back at the data shows that the first sign of the Raspberry Robins’ antics occurred in September of 2021. Industries in the manufacturing, technology, oil and gas, and transportation sectors are common targets of the malware.