Security News > 2022 > December > Raspberry Robin Worm Strikes Again, Targeting Telecom and Government Systems

The Raspberry Robin worm has been used in attacks against telecommunications and government office systems across Latin America, Australia, and Europe since at least September 2022.

"The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools," Trend Micro researcher Christopher So said in a technical analysis published Tuesday.

Raspberry Robin, attributed to an activity cluster tracked by Microsoft as DEV-0856, is being increasingly leveraged by multiple threat actors as an initial access mechanism to deliver payloads such as LockBit and Clop ransomware.

Further analysis of Raspberry Robin reveals the use of heavy obfuscation to prevent analysis, with the malware "Composed of two payloads embedded in a payload loader packed six times."

Trend Micro said it found similarities in a privilege escalation and an anti-debugging technique used by Raspberry Robin and LockBit ransomware, hinting at a potential connection between the two criminal actors.

"The group behind Raspberry Robin is the maker of some of the tools LockBit is also using," the company theorized, adding it alternatively "Availed of the services of the affiliate responsible for the techniques used by LockBit."

News URL

https://thehackernews.com/2022/12/raspberry-robin-worm-strikes-again.html