Microsoft found Raspberry Robin malware used for Evil Corp attacks
Microsoft has found Raspberry Robin malware on the networks of hundreds of organizations from a wide range of industry sectors. The company has discovered that an access broker uses the Raspberry Robin Windows worm to deploy a malware downloader on networks where it also found evidence of malicious activity matching Evil Corp tactics.
Evil Corp is the cybercrime group that seems to take advantage of Raspberry Robin’s access to enterprise networks and is known for pushing the Dridex malware and for switching to deploying ransomware.
The company said, “Microsoft researchers discovered the FakeUpdates malware being delivered via existing Raspberry Robin infections. The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior.”
The malware spreads via infected USB devices to other devices on a target’s network once deployed on a compromised system. This is the first time security researchers have found evidence of how the threat actors behind Raspberry Robin plan to exploit the access they gained to their victims’ networks using this worm.
Switching between ransomware payloads and adopting a Ransomware as a Service (RaaS) affiliate role are part of Evil Corp’s efforts to evade sanctions imposed by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) for using Dridex to cause over $100 million in financial damages.
Using other groups’ malware also allows Evil Corp to distance themselves from known tooling to allow their victims to pay ransoms without facing risks associated with violating OFAC regulations. Assuming a RaaS affiliate role would also likely allow its operators to expand the gang’s ransomware deployment operations and its malware developers with enough free time and resources to develop new ransomware.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.