IBM researchers have spotted functional similarities between a malicious element used in the Raspberry Robin infection chain and a Dridex malware loader, further reinforcing the operators' link to the Russia-based Evil Corp group.

Raspberry Robin and Dridex

The Raspberry Robin, aka QNAP Worm, was discovered in September 2021 and has gone undetected ever since due to a noticeable lack of post-exploitation activities in the wild. It is typically introduced via infected removable drives, often USB devices.
  • X-Force performed a comparative analysis of a 32-bit Raspberry Robin downloaded loader and a 64-bit Dridex loader and uncovered a link between them. 
  • The comparative analysis revealed that the two are very similar in functionality and structure.
  • The intermediate loaders decoded the final payload in the same way and used the same anti-analysis codes.

Raspberry Robin and Evil Corp

IBM security MDR observations coupled with IBM Security X-Force malware research highlights the mysterious objectives of Raspberry Robin operators.
  • The first major link between the Raspberry Robin malware and Evil Corp was observed by Microsoft in July. 
  • Microsoft revealed that it observed the FakeUpdates malware being delivered via existing Raspberry Robin infections, with potential connections identified between DEV-0206 and DEV-0243 aka Evil Corp.
  • FakeUpdates malware was delivered via existing Raspberry Robin infections, with potential connections discovered between DEV-0206 and DEV-0243, aka Evil Corp.

Stay safe

To prevent such infections, organizations should monitor USB device connections and disable the AutoRun feature in the Windows operating system settings. IBM Security MDR team tools can also assist in effectively preventing Raspberry Robin from spreading throughout the network.
Cyware Publisher