Security News > 2022 > October > Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints

The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot, and Clop ransomware.

MSTIC is keeping tabs on the activity group behind the USB-based Raspberry Robin infections as DEV-0856, adding it's aware of at least four confirmed entry points that all have the likely end goal of deploying ransomware.

The tech giant's cybersecurity team said that Raspberry Robin has evolved from a widely distributed worm with no observed post-infection actions to one of the largest malware distribution platforms currently active.

"From a Raspberry Robin infection, the DEV-0950 activity led to Cobalt Strike hands-on-keyboard compromises, sometimes with a Truebot infection observed in between the Raspberry Robin and Cobalt Strike stage," the researcher said.

What's more, a cybercriminal actor dubbed DEV-0651 has been linked to the distribution of another artifact called Fauppod through the abuse of legitimate cloud services, which exhibits code similarities to Raspberry Robin and also drops the FakeUpdates malware.

To add to the attack puzzle, IBM Security X-Force, early last month, identified functional similarities between a loader component used in the Raspberry Robin infection chain and the Dridex malware.

News URL

https://thehackernews.com/2022/10/raspberry-robin-operators-selling.html