1 August 2022

Raspberry Robin malware linked to Russian cybercrime syndicate Evil Corps


Raspberry Robin malware linked to Russian cybercrime syndicate Evil Corps

Microsoft’s cybersecurity team has found a potential connection between the recent Raspberry Robin malware attacks and Evil Corp, an infamous Russia-linked cybercrime syndicate sanctioned by the US government.

In an update to its May write-up on the ransomware-as-a-service RaaS) industry Microsoft said that an access broker it tracks as DEV-0206 has been observed using malvertising to trick victims into downloading a loader for additional malware previously linked to Evil Corps tracked by the tech giant as DEV-0243.

Microsoft said that it discovered the FakeUpdates malware (SocGholish) being delivered via existing Raspberry Robin infections on July 26.

“The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior,” the company noted in the report.

Raspberry Robin (aka QNAP Worm) was first spotted in September 2021 by researchers at cybersecurity firm Red Canary. The malware spreads via infected USB devices in a form of .LNK file and relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices. It was also observed using TOR exit nodes as additional command and control (C2) infrastructure. Red Canaty noted at the time that questions remain unanswered on the cluster’s later-stage activity and goals of these campaigns.

Last month, Microsoft warned its customers about the Raspberry Robin Windows worm found in the networks of hundreds of organizations including those in the technology and manufacturing sectors.

Back to the list

Latest Posts

Exploit code published online for a critical VMware vulnerability

Exploit code published online for a critical VMware vulnerability

A proof-of-concept code for the vulnerability along with technical analysis has been published by a security researcher.
10 August 2022
Cloudflare employees also targeted by SMS phishing attack

Cloudflare employees also targeted by SMS phishing attack

The company says that the attack occurred around the same time as Twilio was attacked and was similar in nature.
10 August 2022
Microsoft fixes yet another MSTD zero-day exploited in the wild

Microsoft fixes yet another MSTD zero-day exploited in the wild

Microsoft had been aware of the DogWalk vulnerability for nearly two years, but deemed it not a security issue.
10 August 2022