Raspberry Robin, a widespread USB-based worm that acts as a loader for other malware, has significant similarities to the Dridex malware loader, meaning that it can be traced back to the sanctioned Russian ransomware group Evil Corp.
Researchers from IBM Security reversed engineered two dynamic link libraries (DLLs) dropped during a Raspberry Robin infection and compared them to the Dridex malware loader, which is a tool that has been definitively linked to Evil Corp. in the past — in fact, the US Department of the Treasury sanctioned the Russia-based Evil Corp for developing Dridex in 2019.
They found that the decoding algorithms worked similarly, using random strings in the portable executables as well as having an intermediate loader code that decoded the final payload in a similar manner and contained anti-analysis code.
“The results show that they are similar in structure and functionality,” Kevin Henson, a malware reverse engineer at IBM Security, wrote in the analysis. “Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks.”
Raspberry Robin Takes Flight
Security firm Red Canary first analyzed and named Raspberry Robin in May. Soon after, it came to the attention of other researchers, including IBM Security.
The worm spreads quickly throughout internal networks, hitchhiking on USB devices passed between workers. While Raspberry Robin relies on social engineering techniques to convince victims to plug in an infected USB device, infections took off during the summer, with 17% of IBM Security’s managed clients in targeted industries seeing infection attempts.
However, the malware puzzled researchers initially, because it simply hibernated on infected systems and appeared to have no second-stage payload. In July that changed: IBM and Microsoft researchers discovered that infected systems had begun downloading the FakeUpdates malware, typically a precursor to ransomware used by Evil Corp.
FakeUpdates, also known as SocGhoulish, masquerades as a legitimate software update, but installs popular attack software such as Cobalt Strike and Mimikatz, or ransomware, on the victim’s computer.
Microsoft noted at the time that FakeUpdates is usually attributed to an access broker that the company tracks as DEV-206. If Evil Corp is distributing FakeUpdates through existing Raspberry Robin infections as suspected, it suggests a close partnership between the access broker and Evil Corp.
Historical analysis indicates that the Raspberry Robin activity can be traced as far back as September 2021. The malware is typically used against manufacturing, technology, oil and gas, and transportation industries.