Raspberry Worm Exposes Larger, More Complex Malware Ecosystem
Just a few months after its discovery by Red Canary researchers in May 2022, Raspberry Robin has quickly evolved from a worm that, while widely distributed, didn’t show any post-infection actions to a sprawling and active platform for distributing malware.
“Microsoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread. These infections lead to follow-on hands-on-keyboard attacks and human-operated ransomware activity,” according to a Microsoft security blog.
“Our continuous tracking of Raspberry Robin-related activity also shows a very active operation,” the researcher said, with “nearly 3,000 devices in almost 1,000 organizations [having] seen at least one Raspberry Robin payload-related alert in the last 30 days.”
The researchers found that devices infected with Raspberry Robin were being installed with FakeUpdates malware—which led to activity by DEV-0243, “a ransomware-associated activity group that overlaps with actions tracked as EvilCorp by other vendors, was first observed deploying the LockBit ransomware-as-a-service (RaaS) payload in November 2021,” the researchers wrote. “Since then, Raspberry Robin has also started deploying IcedID, Bumblebee and Truebot, based on our investigations.”
By October, the researchers “observed Raspberry Robin being used in post-compromise activity attributed to another actor, DEV-0950 (which overlaps with groups tracked publicly as FIN11/TA505),” Microsoft said. “From a Raspberry Robin infection, the DEV-0950 activity led to Cobalt Strike hands-on-keyboard compromises, sometimes with a Truebot infection observed in between the Raspberry Robin and Cobalt Strike stage.”
From there, Clop ransomware was deployed, marking a notable shift from phishing “to using Raspberry Robin … to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages,” the researchers noted.
Because the cybercriminal economy is so interconnected, Microsoft posited that the actors behind the Raspberry Robin-related malware campaigns—usually distributed through other means like malicious ads or email—could be “paying the Raspberry Robin operators for malware installs.”
Attacks using Raspberry Robin “involve multi-stage intrusions, and its post-compromise activities require access to highly privileged credentials to cause widespread impact,” Microsoft researchers wrote.
“The evolution of the Raspberry Robin worm, and its connection to a larger cybercriminal ecosystem, is another example of how threat actors have matured their business models,” said Mike Parkin, senior technical engineer at Vulcan Cyber.
“As our defenses have improved, the threats have grown more sophisticated and complex to match,” said Parkin. “We’re not dealing with isolated threat actors. We’re not dealing with script kiddies showing off by defacing websites. We are dealing with a criminal ecosystem that sometimes gets support from State level agencies and uses business models that are maturing and evolving over time.”
The evolution of Raspberry Robin has thrown security experts off stride. “Just when we thought nothing else could hold us to ransom we are now seeing ransomware delivery systems level up their sophistication and integrate with their counterparts,” said Andrew Barratt, vice president at Coalfire.
“Originally delivered by USB, Raspberry Robin would have had a slow infection rate (slow in a linear sense). The malware is something of a Leatherman of the underworld variety with ransomware capabilities, as well as multi-stage dropper features allowing it to quickly become a vehicle for further compromise,” said Barratt. “Now that it’s being pushed by the FakeUpdates Malware, we could see widespread campaigns leveraging the drive-by download capabilities coupled with Raspberry Robin’s broad range of capabilities.”
Barratt called this “a form of vertical integration in the malware community” with FakeUpdates providing the initial access and first delivery, then “Raspberry Robin offering up extensive post-initial-access capabilities for either quick monetization or further compromise.”
That combination, he said, “could easily masquerade as a harmless browser update and an unsuspecting user could find themselves as the target of a payload that has obfuscated itself enough to evade a local AV tool.”
