Raspberry Robin Worm Actors Linked to Clop, LockBit Ransomware Groups

Written by

The threat actors behind the Raspberry Robin worm have been associated with a complex and interconnected malware ecosystem comprising the Clop and LockBit ransomware groups.

The findings come from Microsoft, which has said the worm had alternate infection methods beyond its original USB drive spread.

“These infections lead to follow-on hands-on-keyboard attacks and human-operated ransomware activity,” Microsoft wrote in an advisory published on Thursday.

According to the security experts, Raspberry Robin (first spotted by Red Canary in May 2022) has evolved from being a widely distributed worm with no observed post-infection actions to one of the largest malware distribution platforms currently active.

“In July 2022, Microsoft security researchers observed devices infected with Raspberry Robin being installed with the FakeUpdates malware, which led to DEV-0243 activity,” the company wrote, referring to a ransomware-focused threat actor with links to EvilCorp, also believed to have deployed the LockBit ransomware in some campaigns.

Fast forward to October 2022, Microsoft said it observed Raspberry Robin being used in post-compromise activity attributed to another actor, DEV-0950.

“From a Raspberry Robin infection, the DEV-0950 activity led to Cobalt Strike hands-on-keyboard compromises, sometimes with a Truebot infection observed in between the Raspberry Robin and Cobalt Strike stage,” Microsoft explained. “The activity culminated in deployments of the Clop ransomware.”

The technology giant has also added that given the interconnected nature of the cyber-criminal economy, the actors behind these Raspberry Robin-related malware campaigns might be paying the Raspberry Robin operators for malware installs.

“Raspberry Robin’s infection chain is a confusing and complicated map of multiple infection points that can lead to many different outcomes, even in scenarios where two hosts are infected simultaneously."

Microsoft has said they believe Raspberry Robin will likely continue to develop and lead to more malware distribution and cyber-criminal activity group relationships as its install footprint grows.

To help companies defend against this threat, the company has included detection details and indicators of compromise (IoC) in the advisory.

Its publication comes days after a report by SonicWall suggested a shift in ransomware threats from the US and toward EMEA and APAC.

What’s hot on Infosecurity Magazine?