- Microsoft pinpoints the Raspberry Robin worm with links to other malware families and alternate infection methods beyond its original USB drive spread.
- Raspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red Canary first reported it in May 2022.
- Microsoft observed Raspberry Robin being used in post-compromise activity attributed to another actor, DEV-0950.
Microsoft pinpoints a widespread campaign that targets at least 3,000 devices in almost 1,000 organizations. Microsoft announced that the company has noticed an activity that indicates that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread. Microsoft claims that the infection can cause hands-on-keyboard attacks and human-operated ransomware activity.
Pre-ransomware activity
Microsoft stated that the company is tracking Raspberry Robin-related activity which is a very active operation. According to the Microsoft Defender for Endpoint data, 3,000 devices in almost 1,000 organizations experienced at least one Raspberry Robin payload-related alert last month.
Since Red Canary reported it in May, Raspberry Robin has evolved from being a widely distributed worm with no with observed post-infection actions to one of the largest malware distribution platforms. The Microsoft security team observed the infected with Raspberry Robin being installed with the FakeUpdates malware. It leads to DEV-0243 activity, which is a ransomware-associated activity group that overlaps with actions tracked as EvilCorp by other vendors, that was observed while deploying the LockBit ransomware-as-a-service in November of 2021. Since then, Raspberry Robin has also started deploying IcedID, Bumblebee, and Truebot.
Raspberry Robin attacks involve multi-stage intrusions. For post-compromise activities, it needs access to highly privileged credentials. When it was first discovered, it seemed like it had no purpose, purpose, now it became an enabler for one of the most notorious attack types. Microsoft Defender for Endpoint and Microsoft Defender Antivirus detect Raspberry Robin and follow-on activities described in this blog. Defenders can also apply the following mitigations to reduce the impact of this threat:
- Prevent drives from using autorun and execution code on insertion or mount. This can be done via registry settings or Group Policy.
- Follow the defending against ransomware guidance in Microsoft’s RaaS blog post.
- Enable tamper protection to prevent attacks from stopping or interfering with Microsoft Defender Antivirus.
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.