HQ/EMEAFind out how we can help your business
The infection rate of the Raspberry Robin worm has skyrocketed in the past months. Cybersecurity experts attribute the increase in its usage to the growing number of threat groups that adopt its highly evasive worm.
Based on reports, the Raspberry Robin malware was initially propagated by its operators through external USB drives. However, a recent study revealed that malware operators utilised additional infection strategies and worked with other malware strains for an efficient campaign.
Researchers first identified the worm in September last year. Initial reports stated that the worm had been labelled as a part of a complicated system of interconnected malware. Numerous threat groups are now propagating these sets of malware strains.
According to researchers, the worm has been distributed by operators to 3,000 systems that 1,000 organisations own within the previous month.
Several Raspberry Robin attacks are connected to a malicious threat group known as DEV-0950. Past investigations showed that this threat group is notorious for delivering the Cl0p ransomware.
Researchers claimed that they had not observed the Raspberry Robin any post-infection exploits. However, some threat groups, especially the Cl0p ransomware operators, have worked with it as a loader.
Cl0p ransomware operators exploit the past Raspberry Robin victims.
Based on a report provided by Microsoft, the Cl0p ransomware group could encrypt the network of a target already compromised by the Raspberry Robin worm.
Moreover, DEV-0950 began to use the Raspberry malware for initial infection to drop their ransomware. In addition, they have also used second-stage payloads such as Bumblebee, Truebot, and IcedID for their second-stage payloads.
As of this month, the Raspberry Robin worm attacks are followed by Truebot and Cobalt Strike infections to launch the Cl0p ransomware attacks. On the other hand, DEV-0950’s cybercriminal activity appears similar to the hacking groups TA505 and FIN11.
Raspberry Robin’s newly added malware variants and alternative infection tactics indicate that its operators offer initial access to infected systems to ransomware groups and partners. Therefore, these ransomware operators and their affiliates could effortlessly establish an evasive entry into their targets and devise an additional attack.
