{"id":9792,"date":"2022-08-02T10:26:10","date_gmt":"2022-08-02T10:26:10","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=9792"},"modified":"2022-08-02T10:26:10","modified_gmt":"2022-08-02T10:26:10","slug":"raspberry-robin-and-evil-corp","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/raspberry-robin-and-evil-corp\/","title":{"rendered":"Microsoft Links Raspberry Robin Worm to Evil Corp"},"content":{"rendered":"

Microsoft analysts have noticed that the access broker, which the company tracks as DEV-0206, is using the Raspberry Robin Windows worm to deploy the malware loader on networks where traces of malicious activity by Evil Corp are also detected.<\/h4>\n

Let me remind you that we also wrote that The Austrian Company DSIRF<\/b> Was Linked to the Knotweed<\/b> Hack Group and the Subzero<\/b> Malware<\/a>, and also that Experts Find Similarities Between LockBit<\/b> and BlackMatter<\/b><\/a>.<\/p>\n

On July 26, 2022, Microsoft<\/b> researchers discovered that FakeUpdates<\/b> (aka SocGholish<\/b>) malware is being delivered through existing Raspberry Robin<\/b> infections. FakeUpdates activity related to DEV-0206<\/b> on affected systems has since resulted in subsequent malicious activity resembling DEV-0243<\/b>‘s behavior prior to ransomware deployment.the experts write.<\/span><\/div><\/div>\n

\"Raspberry<\/p>\n

Let me remind you that last month, researchers discovered the presence<\/a> of the Raspberry Robin worm in the networks of hundreds of organizations from various industries, some of which worked in the technology and manufacturing sectors. Although Microsoft observed how the malware binds to addresses on the Tor<\/b> network, the attackers’ targets remained unknown, as they did not yet have access to their victims’ networks.<\/p>\n

Raspberry Robin malware was first found by analysts from Red Canary<\/b><\/a>. In the spring of this year, it became known that the malware has the capabilities of a worm, spreads using USB drives, and has been active since at least September 2021. Security company Sekoia<\/a><\/b> even observed how malware used Qnap NAS<\/b> devices as control servers back in November last year.<\/p>\n

While the hackers did nothing, Microsoft labelled the campaign as high-risk, given that attackers could download and deploy additional malware on victims’ networks at any time and elevate their privileges.<\/p>\n

Now, researchers have finally seen the first signs of how the hackers intend to exploit the access<\/a> they have gained to their victims’ networks with the Raspberry Robin.<\/p>\n

The aforementioned DEV-0206<\/b> is the code name for an access broker that deploys the FakeUpdates malware on victim machines, forcing the victim to download fake browser updates as ZIP archives. This malware essentially works as a conduit for other malicious campaigns and attackers who use access acquired from DEV-0206<\/b> to spread their payloads. So, the noticed Cobalt Strike<\/b> loaders, apparently, are associated with the DEV-0243<\/b> group, better known as Evil Corp<\/b>.<\/p>\n

In June 2022, cybersecurity experts noticed that Evil Corp switched to using the LockBit ransomware<\/a> to avoid sanctions previously imposed by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC<\/b>). It was assumed that the use of other people’s resources and this new tactic would allow hackers to spend the time saved on developing their own malware to expand their operations.<\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft analysts have noticed that the access broker, which the company tracks as DEV-0206, is using the Raspberry Robin Windows worm to deploy the malware loader on networks where traces of malicious activity by Evil Corp are also detected. Let me remind you that we also wrote that The Austrian Company DSIRF Was Linked to […]<\/p>\n","protected":false},"author":3,"featured_media":9799,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[233,28,94,857],"class_list":{"0":"post-9792","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-evil-corp","9":"tag-malware","10":"tag-microsoft","11":"tag-raspberry-robin"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2022\/08\/Raspberry-Robin-and-Evil-Corp.jpg","author_info":{"display_name":"Vladimir Krasnogolovy","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/krasnogolovy\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/9792","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=9792"}],"version-history":[{"count":4,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/9792\/revisions"}],"predecessor-version":[{"id":9797,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/9792\/revisions\/9797"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/9799"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=9792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=9792"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=9792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}