Microsoft on Friday disclosed a possible connection between the Raspberry Robin USB-based worm and an notorious Russian cybercrime group tracked as Evil Corp.
The tech big stated it noticed the FakeUpdates (aka SocGholish) malware being delivered through current Raspberry Robin infections on July 26, 2022.
Raspberry Robin, additionally referred to as QNAP Worm, is recognized to unfold from a compromised system through contaminated USB gadgets containing malicious a .LNK information to different gadgets within the goal community.
The marketing campaign, which was first noticed by Crimson Canary in September 2021, has been elusive in that no later-stage exercise has been documented nor has there any concrete hyperlink tying it to a recognized menace actor or group.
The disclosure marks the primary proof of post-exploitation actions carried out by the menace actor upon leveraging the malware to achieve preliminary entry to a Home windows machine.
“The DEV-0206-associated FakeUpdates exercise on affected programs has since led to follow-on actions resembling DEV-0243 pre-ransomware habits,” Microsoft famous.
DEV-0206 is Redmond’s moniker for an preliminary entry dealer that deploys a malicious JavaScript framework referred to as FakeUpdates by attractive targets into downloading faux browser updates.
The malware, at its core, acts as a conduit for different campaigns that make use of this entry bought from DEV-0206 to distribute different payloads, primarily Cobalt Strike loaders attributed to DEV-0243, which is also called Evil Corp.
Additionally referred to as Gold Drake and Indrik Spider, the financially motivated hacking group has traditionally operated the Dridex malware and has since switched to deploying a string of ransomware households over time, together with most not too long ago LockBit.
“Using a RaaS payload by the ‘EvilCorp’ exercise group is probably going an try by DEV-0243 to keep away from attribution to their group, which might discourage cost as a result of their sanctioned standing,” Microsoft stated.
It isn’t instantly clear what precise connections Evil Corp, DEV-0206, and DEV-0243 could have with each other.
Katie Nickels, director of intelligence at Crimson Canary, stated in a press release shared with The Hacker Information that the findings, if confirmed to be appropriate, fills a “main hole” with Raspberry Robin’s modus operandi.
“We proceed to see Raspberry Robin exercise, however now we have not been capable of affiliate it with any particular particular person, firm, entity, or nation,” Nickels stated.
“Finally, it is too early to say if Evil Corp is answerable for, or related to, Raspberry Robin. The Ransomware-as-a-Service (RaaS) ecosystem is a posh one, the place totally different felony teams associate with each other to realize a wide range of goals. Because of this, it may be troublesome to untangle the relationships between malware households and noticed exercise.”
