Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints

The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware.

It is “part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread,” the Microsoft Security Threat Intelligence Center (MSTIC) said in a detailed write-up.

Raspberry Robin, also called QNAP Worm owing to the use of compromised QNAP storage servers for command-and-control, is the name given to a malware by cybersecurity company Red Canary that spreads to Windows systems through infected USB drives.

MSTIC is keeping tabs on the activity group behind the USB-based Raspberry Robin infections as DEV-0856, adding it’s aware of at least four confirmed entry points that all have the likely end goal of deploying ransomware.

The tech giant’s cybersecurity team said that Raspberry Robin has evolved from a widely distributed worm with no observed post-infection actions to one of the largest malware distribution platforms currently active.

According to telemetry data collected from Microsoft Defender for Endpoint, roughly 3,000 devices spanning nearly 1,000 organizations have encountered at least one Raspberry Robin payload-related alert in the last 30 days.

The latest development adds to growing evidence of post-exploitation activities linked to Raspberry Robin, which, in July 2022, was discovered acting as a conduit to deliver the FakeUpdates (aka SocGholish) malware.

This FakeUpdates activity has also been followed by pre-ransomware behavior attributed to a threat cluster tracked by Microsoft as DEV-0243 (aka Evil Corp), the infamous Russian cybercrime syndicate behind the Dridex trojan and a command-and-control (C2) framework called TeslaGun.

Microsoft, in October 2022, said it detected Raspberry Robin being used in post-compromise activity attributed to a different threat actor it has codenamed DEV-0950 and which overlaps with groups monitored publicly as FIN11 and TA505.

While the names FIN11 and TA505 have often been used interchangeably, Google-owned Mandiant (formerly FireEye) describes FIN11 as a subset of activity under the TA505 group.

It’s also worth pointing out the conflation of Evil Corp and TA505, although Proofpoint assesses “TA505 to be different than Evil Corp,” suggesting that these clusters share partial tactical commonalities with one another.

“From a Raspberry Robin infection, the DEV-0950 activity led to Cobalt Strike hands-on-keyboard compromises, sometimes with a TrueBot infection observed in between the Raspberry Robin and Cobalt Strike stage,” the researcher said. “The activity culminated in deployments of the Clop ransomware.”

Microsoft also theorized that the actors behind these Raspberry Robin-related malware campaigns are paying the worm’s operators for payload delivery, enabling them to move away from phishing as a vector to acquire new victims.

What’s more, a cybercriminal actor dubbed DEV-0651 has been linked to the distribution of another artifact called Fauppod through the abuse of legitimate cloud services, which exhibits code similarities to Raspberry Robin and also drops the FakeUpdates malware.

The Windows maker further noted wih medium confidence that Fauppod represents the earliest known link in the Raspberry Robin infection chain for propagating the latter via LNK files to USB drives.

To add to the attack puzzle, IBM Security X-Force, early last month, identified functional similarities between a loader component used in the Raspberry Robin infection chain and the Dridex malware. Microsoft is attributing this code-level connection to Fauppod adopting Dridex’s methods to avoid execution in specific environments.

“Raspberry Robin’s infection chain is a confusing and complicated map of multiple infection points that can lead to many different outcomes, even in scenarios where two hosts are infected simultaneously,” Microsoft said.