Microsoft revealed a potential link between the notorious Russian cybercriminal group Evil Corp and the Raspberry Robin USB-based worm on Friday.
The tech giant claimed that on July 26, 2022, it noticed existing Raspberry Robin infections being used to spread the FakeUpdates (also known as SocGholish) virus.
Raspberry Robin, also known as the QNAP Worm, is known to spread from a compromised system to other devices in the target network using infected USB drives that contain harmful a.LNK files.
The campaign, which Red Canary discovered for the first time in September 2021, has proven difficult to track down because no evidence of later-stage activity or a direct connection to a known threat actor or group has been found.
As a result, the disclosure represents the first evidence of post-exploitation operations carried out by the threat actor after using the malware to acquire initial access to a Windows machine.
According to Microsoft, “the DEV-0206-associated FakeUpdates activity on impacted computers has since resulted in subsequent activities that are similar to DEV-0243 pre-ransomware behaviour.”
At its core, the malware serves as a conduit for other campaigns that leverage the access obtained from DEV-0206 to distribute other payloads, particularly Cobalt Strike loaders associated with DEV-0243, also known as Evil Corp.
The financially driven hacker organization, also known as Gold Drake and Indrik Spider, previously used the Dridex virus but has now transitioned to using a number of ransomware families, most recently LockBit.
Microsoft stated that DEV-0243’s usage of a RaaS payload by the “Evil Corp” activity group is probably an effort to evade group identification, which might deter payment owing to their sanctioned position.
It’s not immediately evident what specific ties there could be between Evil Corp, DEV-0206, and DEV-0243.
According to Katie Nickels, director of intelligence at Red Canary, if the findings are confirmed to be accurate, they would close a “significant gap” in Raspberry Robin’s methodology.
According to Nickels, “We continue to observe Raspberry Robin activity, but we have not been able to link it to any particular individual, business, institution, or nation.”
“In the end, it is still too early to determine if Evil Corp is connected to or accountable for Raspberry Robin. In the intricate Ransomware-as-a-Service (RaaS) ecosystem, multiple criminal organisations collaborate with one another to accomplish a range of goals. It can be challenging to separate the connections between malware families and detected behaviour as a result.”