Microsoft has identified recent activity that suggests the Raspberry Robin worm is a component of a large and intricate ecosystem of malware, with connections to other malware families. And additional infection vectors outside of its original USB drive distribution. These infections trigger hands-on-keyboard assaults and human-controlled ransomware activities as a result. Pre-ransomware behavior is the raspberry robin worm.

Our ongoing monitoring of Raspberry Robin-related activities also reveals a very active operation. According to Microsoft Defender for Endpoint statistics, roughly 3,000 devices in almost 1,000 organizations have had at least one alert relating to the Raspberry Robin payload in the past 30 days. Pre-ransomware behavior is the raspberry robin worm.

When Raspberry Robin was initially discovered by Red Canary in May 2022, it was a widely dispersed worm with no post-infection behaviors visible. Since then, it has developed into one of the most significant malware distribution platforms now in use. Microsoft security researchers discovered FakeUpdates malware being loaded on Raspberry Robin-infected devices in July 2022, which resulted in DEV-0243 activity.

In November 2021, the LockBit ransomware as a service (RaaS) payload was first deployed by the ransomware-related activity group DEV-0243. The DEV-0243 is also associated with activities tracked as EvilCorp by other vendors. Based on our studies, Raspberry Robin has since started implementing IcedID, Bumblebee, and Truebot.

Raspberry Robin was found employed in post-compromise activities in October 2022 that was linked to another actor, DEV-0950 (FIN11/TA505). Cobalt Strike hands-on-keyboard compromises resulted from a Raspberry Robin infection. And occasionally, a Truebot infection was seen between the Raspberry Robin and Cobalt Strike stages.

Clop ransomware deployments marked the culmination of the activity. Due to this remarkable switch from employing phishing to Raspberry Robin, DEV-0950 is now able to deliver payloads to existing infections and advance their campaigns more quickly towards ransomware phases.

Raspberry Robin’s initial spread via USB drives creates a new worm.

Red Canary noted that a new worm known as Raspberry Robin was infecting Windows systems via infected USB sticks at the start of May 2022. A folder-like Windows shortcut (LNK) file is present on the USB storage. This file’s generic file name, recovery.lnk, was used in earlier infections, but in more current ones, it references specific USB drive brands. The malware that infects USB drives with worms is not new, and many enterprises no longer consider it to be a major concern.

When a USB drive is used in an attack, the autorun.inf file on the targeted system needs to be modified or set up to designate which code should run when the drive is plugged in. Windows by default prevent removable media from being automatically run. However, with adjustments to historical Group Policies, it has been broadly enabled in many businesses.

Raspberry Robin infections
Attack chain of the original Raspberry Robin infections

Connection of Raspberry Robin to a bigger malware ecology

Microsoft security experts have found connections between Raspberry Robin and other malware families since our initial examination. The Raspberry Robin implant has begun to disseminate additional malware families. That was not unusual in the cybercriminal market where attackers buy “loads” or install from creators of popular and effective malware to further their objectives.

The first known instance of a Raspberry Robin-infected system installing a FakeUpdates (SocGholish) JavaScript backdoor was found on July 26, 2022. Previously, drive-by downloads or malicious advertising disguised as browser updates were the main ways that FakeUpdates were distributed. Microsoft identifies both the operators of the USB-based Raspberry Robin virus as DEV-0856 and the activity group responsible for FakeUpdates as DEV-0206.

Following their discovery of Raspberry Robin-deployed FakeUpdates, Microsoft security researchers kept an eye out for other as-yet-unidentified deployment mechanisms. In order to track the numerous outer layers of malware packed under the family name Fauppod. Additional signatures were developed as part of ongoing research into the various malware families dropped by Raspberry Robin’s USB-delivered infestations.

Future of Raspberry Robin worm as a gig economy cybercriminal

The majority of enterprises face an ongoing danger from cybercriminal malware, which exploits common flaws in security measures and deceives people through social engineering. Nearly every business is susceptible to these dangers, such Fauppod/Raspberry Robin and FakeUpdates. The key to mitigating the effects of these intricate and interconnected cybercriminal risks is to have strong protection. And detection strategy and to make investments in credential hygiene, least privileges, and network segmentation.

Raspberry Even in cases where two hosts are infected concurrently, Robin’s infection chain is perplexing. And complex diagrams of various infection points that can result in many distinct outcomes. The threat’s attackers have gone to great pains to shield the malware at every level with intricate loading procedures. That makes it difficult to distinguish between the many components. These attackers also delegate some of the most significant attack phases, such as the deployment of ransomware, to other actors.

Preventing effects caused by the Raspberry Robin worm

Worms can make noise and make security operations centers experience alert fatigue (SOCs). The worm operator has plenty of opportunities to sell afflicted network access to other cybercriminals if such exhaustion resulted in an erroneous or tardy cleanup.

While Raspberry Robin first appeared to serve no function, it has since developed. And is on the verge of having a possibly disastrous effect on areas where it is still present. As Raspberry Robin’s install base expands may flourish and foster links between groups engaged in cybercrime and malware distribution.