Infections attributed to the USB-based worm have taken off, and now evidence links the malware to Dridex and the sanctioned Russian cybercriminal group Evil Corp.

2 Min Read
American Robin perched on branch eating a Mountain Ash berry, Cordova, Southcentral Alaska, Autumn
Source: Design Pics Inc via Alamy Stock Photo

Raspberry Robin, a widespread USB-based worm that acts as a loader for other malware, has significant similarities to the Dridex malware loader, meaning that it can be traced back to the sanctioned Russian ransomware group Evil Corp.

Researchers from IBM Security reversed engineered two dynamic link libraries (DLLs) dropped during a Raspberry Robin infection and compared them to the Dridex malware loader, which is a tool that has been definitively linked to Evil Corp. in the past — in fact, the US Department of the Treasury sanctioned the Russia-based Evil Corp for developing Dridex in 2019.

They found that the decoding algorithms worked similarly, using random strings in the portable executables as well as having an intermediate loader code that decoded the final payload in a similar manner and contained anti-analysis code.

"The results show that they are similar in structure and functionality," Kevin Henson, a malware reverse engineer at IBM Security, wrote in the analysis. "Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks."

Raspberry Robin Takes Flight

Security firm Red Canary first analyzed and named Raspberry Robin in May. Soon after, it came to the attention of other researchers, including IBM Security.

The worm spreads quickly throughout internal networks, hitchhiking on USB devices passed between workers. While Raspberry Robin relies on social engineering techniques to convince victims to plug in an infected USB device, infections took off during the summer, with 17% of IBM Security's managed clients in targeted industries seeing infection attempts.

However, the malware puzzled researchers initially, because it simply hibernated on infected systems and appeared to have no second-stage payload. In July that changed: IBM and Microsoft researchers discovered that infected systems had begun downloading the FakeUpdates malware, typically a precursor to ransomware used by Evil Corp.

FakeUpdates, also known as SocGhoulish, masquerades as a legitimate software update, but installs popular attack software such as Cobalt Strike and Mimikatz, or ransomware, on the victim's computer.

Microsoft noted at the time that FakeUpdates is usually attributed to an access broker that the company tracks as DEV-206. If Evil Corp is distributing FakeUpdates through existing Raspberry Robin infections as suspected, it suggests a close partnership between the access broker and Evil Corp.

Historical analysis indicates that the Raspberry Robin activity can be traced as far back as September 2021. The malware is typically used against manufacturing, technology, oil and gas, and transportation industries.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights