The Raspberry Robin malware is used to deliver all kinds of destructive code, including ransomwareto compromised endpoints (opens in a new tab)Microsoft warned.
seems to malwarefirst discovered in late 2021 and whose end game was unknown at the time, has evolved into an infection service available to anyone who can pay in cash.
Cybersecurity researchers from Microsoft have released the details blog post (opens in a new tab) in which they describe Raspberry Robin as “part of a complex and interconnected malware ecosystem,” with references to other malware families and alternative infection methods.
Infection for rent
Whoever is behind Raspberry Robin has been busy over the past few weeks, as according to Microsoft Defender for Endpoint, nearly 3,000 devices in 1,000 organizations have received at least one warning about the Raspberry Robin payload in the past 30 days.
Payloads vary, the company further explained, from the FakeUpdates malware that led to the possible activities of EvilCorp, to IceID, Bumblebee and Truebot. This is all of July 2022.
However, in October 2022, Microsoft also noticed Raspberry Robin being used by FIN11 (aka TA505, the group behind the Dridex banking trojan and the Locky ransomware). This activity led to keyboard-based Cobalt Strike compromises, the company explained, sometimes infecting Truebot between Raspberry Robin and Cobalt Strike stages. After the Cobalt Strike beacon, the group deployed the Clop ransomware.
All things considered, Microsoft has come to the conclusion that the group behind Raspberry Robin is taking payments to deploy various malware and ransomware on its victims’ endpoints.
“Given the interconnected nature of the cybercriminal economy, it is entirely possible that the entities behind these Raspberry Robin-related malware campaigns — typically distributed through other means such as malicious ads or email — are paying Raspberry Robin operators to install malware,” the report concludes.
There was a crimson robin first discovered when researchers at Red Canary discovered a “swarm of malicious activity.” The malware usually spreads offline via infected USB drives. After analyzing the infected flash drive, researchers discovered that the worm spreads to new devices via a malicious .LNK file.
- Monitor traffic from the best firewalls (opens in a new tab) There
https://www.techradar.com/news/microsoft-warns-raspberry-robin-malware-is-getting-a-lot-sourer/
