Contents:
A threat group tracked as DEV-0950 was revealed to have used Clop ransomware to encrypt the network of victims previously infected with the Raspberry Robin worm.
In their most recent report, Microsoft Security Threat Intelligence analysts claim that Raspberry Robin worm has become part of a larger ecosystem opening doors for ransomware activity.
The Windows malware with worm capabilities via infected USB devices to other devices on a target’s network.
After the USB device containing a malicious .LNK file is attached and the link accessed, the worm will spawn a msiexec process using cmd to launch a second malicious file stored on the infected drive. On compromised Windows devices, it communicates with its command-and-control servers (C2).
According to BleepingComputer, Raspberry Robin has also been used to drop other second-stage payloads, including IcedID, Bumblebee, and Truebot.
In October 2022, Microsoft researchers observed Raspberry Robin infections followed by Cobalt Strike activity from DEV-0950. This activity, which in some cases included a Truebot infection, eventually deployed the Clop ransomware.
According to Microsoft`s report, DEV-0950 traditionally uses phishing to trick their victims, so the shift towards Raspberry Robin means they can now deliver payloads to existing infections and move their campaigns more quickly to ransomware stages.
DEV-0950 malicious activity is said to coincide with cybercrime groups identified as FIN11 and TA505, known for deploying Clop ransomware on targets’ systems.
The number of affected organizations has reached 1000 over the course of a month.
Microsoft Defender for Endpoint data indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.