Microsoft Links Raspberry Robin USB Worm To Russian Evil Corp Hackers

Microsoft on Friday revealed a potential connection between the Raspberry Robin USB worm and an infamous Russian cybercrime group tracked as Evil Corp.

The tech giant said it observed FakeUpdates (aka SocGholish) malware being distributed via existing Raspberry Robin infections on July 26, 2022.

Raspberry Robin, also known as QNAP worm, is known to spread from compromised system via infected USB devices containing malicious .LNK files to other target network devices.


cyber security

The campaign, which was first spotted by Red Canary in September 2021, has been elusive in that no subsequent activity has been documented and there is no concrete link linking it to any actor. or a known threat group.

The disclosure marks the first evidence of post-exploitation actions taken by the threat actor while exploiting the malware to gain initial access to a Windows machine.

“FakeUpdates activity associated with DEV-0206 on affected systems has since led to follow-up actions resembling DEV-0243’s pre-ransomware behavior,” Microsoft noted.

Raspberry Robin USB Worm

DEV-0206 is Redmond’s nickname for an initial access broker that deploys a malicious JavaScript framework called FakeUpdates by tricking targets into downloading bogus browser updates.

The malware, at its core, acts as a conduit for other campaigns that use this purchased access from DEV-0206 to distribute other payloads, primarily Cobalt Strike loaders attributed to DEV-0243, also known as of Evil Corp.

Also referred to as Gold Drake and Indrik Spider, the financially motivated hacking group has historically exploited the Dridex malware and has since opted to deploy a series of ransomware families over the years, including most recently LockBit.

cyber security

“The use of a RaaS payload by the ‘EvilCorp’ business group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status” , Microsoft said.

It’s not immediately clear what exact relationships Evil Corp, DEV-0206, and DEV-0243 may have with each other.

Katie Nickels, director of intelligence at Red Canary, said in a statement shared with The Hacker News that the findings, if found to be correct, fill a “major gap” with Raspberry Robin’s modus operandi.

“We continue to see activity from Raspberry Robin, but have not been able to associate it with a specific person, company, entity or country,” Nickels said.

“Ultimately, it’s too early to tell if Evil Corp is responsible or associated with Raspberry Robin. The Ransomware-as-a-Service (RaaS) ecosystem is complex, where different criminal groups combine to achieve a variety of goals. Therefore, it can be difficult to disentangle the relationships between malware families and observed activity.

Leave a Comment