Microsoft links Raspberry Robin USB Worm to Russian Evil Corp hackers


Microsoft on Friday revealed a possible link between the Raspberry Robin USB-based worm and a notorious Russian cybercrime group tracked as Evil Corp.

The tech giant said it observed the FakeUpdates (aka SocGholish) malware delivered on July 26, 2022 via existing Raspberry Robin infections.

Raspberry Robin, also known as QNAP Worm, is known to spread from a compromised system through infected USB devices containing malicious .LNK files to other devices in the target network.

First spotted by Red Canary in September 2021, the campaign has been elusive as no late-stage activity has been documented, nor is there any concrete link between the campaign and any known threat actor or group.

The disclosure therefore marks the first evidence of post-exploit actions performed by the threat actor when using the malware to gain initial access to a Windows machine.

“The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-ups similar to DEV-0243 pre-ransomware behavior,” Microsoft noted.

DEV-0206 is Redmond’s nickname for an initial access broker that implements a malicious JavaScript framework called FakeUpdates by tricking targets into downloading fake browser updates in the form of ZIP archives.

At its core, the malware acts as a conduit for other campaigns that use this access purchased from DEV-0206 to distribute other payloads, primarily Cobalt Strike loaders attributed to DEV-0243, also known as Evil Corp.

Referred to as Gold Drake and Indrik Spider, the financially motivated hacking group has managed Dridex malware in the past and has since moved to deploying a range of ransomware families, most recently LockBit.

“The use of a RaaS payload by the ‘EvilCorp’ activity group is likely an attempt by DEV-0243 to prevent attribution to their group, which could discourage payment due to their sanctioned status,” Microsoft said.

It is not immediately clear what exact connections Evil Corp, DEV-0206 and DEV-0243 have with each other.

Katie Nickels, director of intelligence at Red Canary, said in a statement shared with The Hacker News that the findings, if proven correct, will fill a “big hole” with Raspberry Robin’s modus operandi.

“We continue to see Raspberry Robin activity, but we haven’t been able to associate it with any specific person, company, entity or country,” Nickels said.

“Ultimately, it’s too early to say whether Evil Corp is responsible for or associated with Raspberry Robin. The Ransomware-as-a-Service (RaaS) ecosystem is complex, with different criminal groups working together to achieve different goals. As a result it can be difficult to untangle the relationships between malware families and observed activity.”