The Raspberry Robin cyber-worm operation has infected nearly 3,000 devices in almost 1,000 organizations in the last 30 days, according to Microsoft telemetry — and the threat seems to be molting into something new.
Raspberry Robin was initially spotted back in May, infecting targets via infected USB drives and worming to other endpoints — but then remaining dormant. That changed in July, when Microsoft security researchers saw Raspberry Robin importing the FakeUpdates malware to devices where it was nesting. Further exploration of the activity revealed some infrastructure overlaps with the infamous Dridex Trojan and the Evil Corp (aka DEV-0243) ransomware gang.
Since then, Raspberry Robin has also started deploying IcedID, Bumblebee, and Truebot, according to a Microsoft update on Oct. 27, with researchers uncovering a notable spate of attacks in October that have resulted in Clop ransomware infections. The threat has also taken flight beyond its initial USB access vector, researchers noted, and is now capable of using at least four different methods for gaining purchase on devices.
The computing giant attributes the post-compromise Clop activity to a group it tracks as DEV-0950 (aka FIN11 or TA505), indicating that Raspberry Robin is establishing a perch in the wider cybercrime economy.
“DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages,” Microsoft researchers noted.
They added, “Given the interconnected nature of the cybercriminal economy, it’s possible that the actors behind these Raspberry Robin-related malware campaigns — usually distributed through other means like malicious ads or email — are paying the Raspberry Robin operators for malware installs.”