- This robot vacuum has a side-mounted handheld vacuum and is $380 off for Black Friday
- This 2 TB Samsung 990 Pro M.2 SSD is on sale for $160 this Black Friday
- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
Raspberry Robin Worm Actors Linked to Clop, LockBit Ransomware Groups
The threat actors behind the Raspberry Robin worm have been associated with a complex and interconnected malware ecosystem comprising the Clop and LockBit ransomware groups.
The findings come from Microsoft, which has said the worm had alternate infection methods beyond its original USB drive spread.
“These infections lead to follow-on hands-on-keyboard attacks and human-operated ransomware activity,” Microsoft wrote in an advisory published on Thursday.
According to the security experts, Raspberry Robin (first spotted by Red Canary in May 2022) has evolved from being a widely distributed worm with no observed post-infection actions to one of the largest malware distribution platforms currently active.
“In July 2022, Microsoft security researchers observed devices infected with Raspberry Robin being installed with the FakeUpdates malware, which led to DEV-0243 activity,” the company wrote, referring to a ransomware-focused threat actor with links to EvilCorp, also believed to have deployed the LockBit ransomware in some campaigns.
Fast forward to October 2022, Microsoft said it observed Raspberry Robin being used in post-compromise activity attributed to another actor, DEV-0950.
“From a Raspberry Robin infection, the DEV-0950 activity led to Cobalt Strike hands-on-keyboard compromises, sometimes with a Truebot infection observed in between the Raspberry Robin and Cobalt Strike stage,” Microsoft explained. “The activity culminated in deployments of the Clop ransomware.”
The technology giant has also added that given the interconnected nature of the cyber-criminal economy, the actors behind these Raspberry Robin-related malware campaigns might be paying the Raspberry Robin operators for malware installs.
“Raspberry Robin’s infection chain is a confusing and complicated map of multiple infection points that can lead to many different outcomes, even in scenarios where two hosts are infected simultaneously.”
Microsoft has said they believe Raspberry Robin will likely continue to develop and lead to more malware distribution and cyber-criminal activity group relationships as its install footprint grows.
To help companies defend against this threat, the company has included detection details and indicators of compromise (IoC) in the advisory.
Its publication comes days after a report by SonicWall suggested a shift in ransomware threats from the US and toward EMEA and APAC.