September 18, 2022
Russian Hackers Evil Corp, YT Trending - Latest Technology News

Raspberry Robin USB Worm

Microsoft revealed a potential link between the notorious Russian cybercriminal group Evil Corp and the Raspberry Robin USB-based worm on Friday.

The tech giant claimed that on July 26, 2022, it noticed existing Raspberry Robin infections being used to spread the FakeUpdates (also known as SocGholish) virus.

Russian Hackers Evil Corp, YT Trending - Latest Technology News
Raspberry Robin USB Worm

Raspberry Robin, also known as the QNAP Worm, is known to spread from a compromised system to other devices in the target network using infected USB drives that contain harmful a.LNK files.

Read More: Numerous Android Apps on The Google Play Store Have Been Discovered To Drop Banking Malware.

The campaign, which Red Canary discovered for the first time in September 2021, has proven difficult to track down because no evidence of later-stage activity or a direct connection to a known threat actor or group has been found.

As a result, the disclosure represents the first evidence of post-exploitation operations carried out by the threat actor after using the malware to acquire initial access to a Windows machine.

According to Microsoft, “the DEV-0206-associated FakeUpdates activity on impacted computers has since resulted in subsequent activities that are similar to DEV-0243 pre-ransomware behaviour.”

Read More: Nearly 3,200 Mobile Apps Are Found To Be Leaking Twitter API keys, According To Researchers

DEV-0206 is Redmond’s code for an initial access broker that delivers a malicious JavaScript framework called FakeUpdates by tricking targets into downloading false browser updates in the form of ZIP packages.

Russian Hackers Evil Corp, YT Trending - Latest Technology News

At its core, the malware serves as a conduit for other campaigns that leverage the access obtained from DEV-0206 to distribute other payloads, particularly Cobalt Strike loaders associated with DEV-0243, also known as Evil Corp.

The financially driven hacker organization, also known as Gold Drake and Indrik Spider, previously used the Dridex virus but has now transitioned to using a number of ransomware families, most recently LockBit.

Microsoft stated that DEV-0243’s usage of a RaaS payload by the “Evil Corp” activity group is probably an effort to evade group identification, which might deter payment owing to their sanctioned position.

It’s not immediately evident what specific ties there could be between Evil Corp, DEV-0206, and DEV-0243.

According to Katie Nickels, director of intelligence at Red Canary, if the findings are confirmed to be accurate, they would close a “significant gap” in Raspberry Robin’s methodology.

According to Nickels, “We continue to observe Raspberry Robin activity, but we have not been able to link it to any particular individual, business, institution, or nation.”

“In the end, it is still too early to determine if Evil Corp is connected to or accountable for Raspberry Robin. In the intricate Ransomware-as-a-Service (RaaS) ecosystem, multiple criminal organisations collaborate with one another to accomplish a range of goals. It can be challenging to separate the connections between malware families and detected behaviour as a result.”

Read More: 

Microsoft: Windows Autopatch now available for public preview – BleepingComputer

8 ways Windows 11 is better than Windows 10 – PCWorld

1 thought on “Russian Hackers From Evil Corp. Are Connected To The Raspberry Robin USB Worm by Microsoft.

Leave a Reply

Your email address will not be published.