How to spot a Windows worm now spreading ransomware • The Register

Raspberry Robin, a worm that spreads through USB drives on Windows systems, has rapidly evolved to sell or offer backdoor access to infected computers, among other things to allow cybercriminals to install ransomware.

In a report Thursday, Microsoft’s Security Threat Intelligence unit said Raspberry Robin is now “part of a complex and interconnected malware ecosystem” with ties to other families of malicious code and links to ransomware infections.

Ultimately, Raspberry Robin initially appeared to be a strange worm that spread from PC to PC with no apparent destination. Whoever controls the malware appears to be using it to provide access to infected computers so that other malicious software, such as ransomware, can be deployed by other rogues.

“The Raspberry Robin infection chain is a confusing and complicated map of multiple infection points that can lead to many different outcomes, even in scenarios where two hosts are infected at the same time,” the Microsoft researchers write.

“There are numerous components involved; distinguishing them might be difficult as the attackers behind the threat have gone to extreme lengths to protect the malware at every stage with complex loading mechanisms.”

According to data collected by Microsoft’s Defender for Endpoint tool, nearly 3,000 devices across approximately 1,000 organizations have received at least one alert about a malicious payload related to Raspberry Robin in the last 30 days.

“Raspberry Robin has evolved from a widespread worm with no observed post-infection actions when Red Canary first reported it in May 2022 to one of the largest currently active malware distribution platforms,” ​​they wrote.

Red Canary researchers first observed Raspberry Robin activity in September 2021. The malware was a worm that was typically installed via a removable USB device and used compromised QNAP storage servers for its backend Command and Control (C2) servers.

A USB stick infected with Raspberry Robin contains an .lnk file that looks like a legitimate folder. The drive can be set up to run this file automatically – which companies can block – or trick the user into double-clicking the link file. This .lnk file then executes commands to fetch and run key malware code on the victim’s PC from a C2 server.

See the Microsoft post above for technical details on how to detect a Raspberry Robin intrusion. A PC gets infected after inserting the USB drive and/or running the .lnk file. However, some infections appeared without a link file and a USB drive, suggesting that there is more than one way to catch Raspberry Robin.

It’s only going to get worse

Microsoft, IBM and Cisco have followed Raspberry Robin and its development. Two months after Red Canary’s report, Microsoft discovered that Raspberry Robin – which the IT giant is tracking as DEV-0856 – was installing the FakeUpdates (aka SocGolish) backdoor malware on compromised computers, also developed by Evil Corp – a Russian Cybercrime group – used is tracked by Microsoft as DEV-0243, which distributes the Dridex banking Trojan.

Raspberry Robin was also used to power the IdedID (or BokBot banking trojan), the Bumblebee malware loader, and the Truebot trojan. According to the Microsoft analysts, scumbags also instructed it to run LockBit ransomware and now Clop ransomware on hijacked computers.

It gets worse. This month Microsoft saw that Raspberry Robin was being used by a crew being tracked as DEV-0950, which overlaps with gangs tagged FIN11 and TA505. After Raspberry Robin infects a PC, DEV-0950 uses it to run Cobalt Strike – and occasionally Truebot – according to Microsoft. Finally, Clop runs on the victim’s computer. According to Microsoft researchers, Raspberry Robin was a boon to these rogues.

“DEV-0950 has traditionally used phishing to attract the majority of its victims, so this remarkable shift to using Raspberry Robin allows them to deliver payloads to existing infections and move their campaigns into ransomware stages more quickly,” they wrote .

“Given the interconnected nature of the cybercrime economy, it is possible that the actors behind these Raspberry Robin-related malware campaigns – which are typically distributed through other means such as malicious ads or email – could target the Raspberry Robin operators for malware- pay for installations.”

In July, Microsoft found that Fauppod — malware distributed by Azure and Discord by another group called DEV-0651 — has code similar to Raspberry Robin. It also delivered FakeUpdates backdoors.

IBM’s Security X-Force in September found further connections between Raspberry Robin and Dridex – including similarities in structure and functionality – between a Raspberry Robin DLL and a Dridex malware loader.

“Thus, IBM security research establishes another link between the Raspberry Robin infections and the Russia-based cybercriminal group ‘Evil Corp’, which is the same group behind the Dridex malware, suggesting that Evil Corp likely compromised the infrastructure of Raspberry Robin used to launch his attacks,” wrote Kevin Henson, a malware reverse engineer, and Emmy Ebanks, a cyberthreat responder, at IBM.

According to Microsoft, the malware is expected to continue to evolve into an increasingly dangerous threat.

“While Raspberry Robin appeared to have no purpose when first discovered, it has evolved and is on track to have potentially devastating effects on environments where it is still installed,” the analysts wrote.

“Raspberry Robin is likely to evolve, leading to more malware distribution and relationships with cybercriminal groups as installs grow.” ®

https://www.theregister.com/2022/10/28/microsoft_raspberry_robin_malware/ How to spot a Windows worm now spreading ransomware • The Register

Rick Schindler

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@worldtimetodays.com. The content will be deleted within 24 hours.

Related Articles

Back to top button