Raspberry Robin's Cyber Worm Infects Thousands of Endpoints

The malware is being used to deliver Clop ransomware, in a vicious spate of October attacks that show an evolution in its methods.

north american robin in a tree with red berries
Source: Design Pics Inc via Alamy Stock Photo

The Raspberry Robin cyber-worm operation has infected nearly 3,000 devices in almost 1,000 organizations in the last 30 days, according to Microsoft telemetry — and the threat seems to be molting into something new.

Raspberry Robin was initially spotted back in May, infecting targets via infected USB drives and worming to other endpoints — but then remaining dormant. That changed in July, when Microsoft security researchers saw Raspberry Robin importing the FakeUpdates malware to devices where it was nesting. Further exploration of the activity revealed some infrastructure overlaps with the infamous Dridex Trojan and the Evil Corp (aka DEV-0243) ransomware gang.

Since then, Raspberry Robin has also started deploying IcedID, Bumblebee, and Truebot, according to a Microsoft update on Oct. 27, with researchers uncovering a notable spate of attacks in October that have resulted in Clop ransomware infections. The threat has also taken flight beyond its initial USB access vector, researchers noted, and is now capable of using at least four different methods for gaining purchase on devices.

The computing giant attributes the post-compromise Clop activity to a group it tracks as DEV-0950 -- aka FIN11 or TA505 -- indicating that Raspberry Robin is establishing itself iin the wider cybercrime economy.

"DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages," Microsoft researchers noted.

They added, "Given the interconnected nature of the cybercriminal economy, it's possible that the actors behind these Raspberry Robin-related malware campaigns — usually distributed through other means like malicious ads or email — are paying the Raspberry Robin operators for malware installs."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights