Raspberry Robin, a widespread USB-based worm that acts as a loader for different malware, has vital similarities to the Dridex malware loader, that means that it may be traced again to the sanctioned Russian ransomware group Evil Corp.
Researchers from IBM Safety reversed engineered two dynamic hyperlink libraries (DLLs) dropped throughout a Raspberry Robin an infection and in contrast them to the Dridex malware loader, which is a device that has been definitively linked to Evil Corp. prior to now — in truth, the US Division of the Treasury sanctioned the Russia-based Evil Corp for creating Dridex in 2019.
They discovered that the decoding algorithms labored equally, utilizing random strings within the moveable executables in addition to having an intermediate loader code that decoded the ultimate payload in the same method and contained anti-analysis code.
“The outcomes present that they’re related in construction and performance,” Kevin Henson, a malware reverse engineer at IBM Safety, wrote in the evaluation. “Evil Corp is probably going utilizing Raspberry Robin infrastructure to hold out its assaults.”
Raspberry Robin Takes Flight
Safety agency Purple Canary first analyzed and named Raspberry Robin in Might. Quickly after, it got here to the eye of different researchers, together with IBM Safety.
The worm spreads shortly all through inside networks, hitchhiking on USB gadgets handed between employees. Whereas Raspberry Robin depends on social engineering methods to persuade victims to plug in an contaminated USB system, infections took off in the course of the summer time, with 17% of IBM Safety’s managed purchasers in focused industries seeing an infection makes an attempt.
Nevertheless, the malware puzzled researchers initially, as a result of it merely hibernated on contaminated techniques and appeared to haven’t any second-stage payload. In July that modified: IBM and Microsoft researchers found that contaminated techniques had begun downloading the FakeUpdates malware, sometimes a precursor to ransomware utilized by Evil Corp.
FakeUpdates, often known as SocGhoulish, masquerades as a official software program replace, however installs in style assault software program equivalent to Cobalt Strike and Mimikatz, or ransomware, on the sufferer’s pc.
Microsoft famous on the time that FakeUpdates is often attributed to an entry dealer that the corporate tracks as DEV-206. If Evil Corp is distributing FakeUpdates by way of present Raspberry Robin infections as suspected, it suggests an in depth partnership between the entry dealer and Evil Corp.
Historic evaluation signifies that the Raspberry Robin exercise might be traced way back to September 2021. The malware is usually used towards manufacturing, know-how, oil and gasoline, and transportation industries.