Security News > 2022 > July > Microsoft links Raspberry Robin malware to Evil Corp attacks
Microsoft has discovered that an access broker it tracks as DEV-0206 uses the Raspberry Robin Windows worm to deploy a malware downloader on networks where it also found evidence of malicious activity matching Evil Corp tactics.
"On July 26, 2022, Microsoft researchers discovered the FakeUpdates malware being delivered via existing Raspberry Robin infections," Microsoft revealed Thursday.
Evil Corp, the cybercrime group that seems to take advantage of Raspberry Robin's access to enterprise networks, has been active since 2007 and is known for pushing the Dridex malware and for switching to deploying ransomware.
From March 2021, Evil Corp moved to other strains known as Hades ransomware, Macaw Locker, and Phoenix CryptoLocker, finally being observed by Mandiant deploying ransomware as a LockBit affiliate since mid-2022.
After being sanctioned by the U.S. government in 2019, ransomware negotiation firms refused to facilitate ransom payments for organizations hit by Evil Corp ransomware attacks to avoid facing legal action or fines from the U.S. Treasury Department.
Assuming a RaaS affiliate role would also likely allow its operators to expand the gang's ransomware deployment operations and its malware developers with enough free time and resources to develop new ransomware, which is harder to link to Evil Corp's previous operations.
News URL
Related news
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- New Latrodectus malware attacks use Microsoft, Cloudflare themes (source)
- Microsoft fixes Windows zero-day exploited in QakBot malware attacks (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- The Biggest Takeaways from Recent Malware Attacks (source)
- Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks (source)
- Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days (source)
- TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks (source)
- GitHub comments abused to push malware via Microsoft repo URLs (source)
- CoralRaider attacks use CDN cache to push info-stealer malware (source)