It seems that Malwarewhich was first discovered in late 2021, whose end was unknown at the time, has turned into an infection service available to anyone with cash to pay.
Microsoft cybersecurity researchers have published a detailed report Blog Posts (Opens in a new tab) They described the Raspberry Robin as “part of a complex and interconnected malware ecosystem”, with links to other malware families and alternative infection routes.
infection for hire
Regardless of who behind the Raspberry Robin has been busy over the past two weeks, according to Microsoft Defender for Endpoint data, nearly 3,000 devices in 1,000 organizations have experienced at least one alert related to a Raspberry Robin payload in the last 30 days.
The company explained that the payloads vary from the FakeUpdates malware that led to possible EvilCorp activity, to IceID, Bumblebee and Truebot. This is all in July 2022.
Although, in October 2022, Microsoft also spotted a Raspberry Robin used by FIN11 (AKA TA505, – the group behind the Dridex banking trojan and Locky ransomware). The company explained that this activity led to practical keyboard compromises from the Cobalt Strike, sometimes with Truebot hitting between the Raspberry Robin and Cobalt Strike stages. After the Cobalt Strike beacon, the group published Clop ransomware.
After all things considered, Microsoft has concluded that the group behind Raspberry Robin is being paid to spread various malware and ransomware to its victims’ endpoints.
The report concludes, “Given the interconnected nature of the cybercriminal economy, it is possible that the actors behind the Raspberry Robin-associated malware campaigns—usually distributed through other means such as advertisements or malicious email—are paying Raspberry Robin operators for installs. Malware”.
Robin was raspberry first identified When researchers discovered a red canary “array of malicious activities.” Malware is usually distributed offline via infected USB drives. After analyzing the infected thumb drive, researchers discovered that the worm was spreading to new devices via a malicious .LNK file.
- Track traffic with best firewall (Opens in a new tab) Abroad