Raspberry Robin USB worm hits nearly 1,000 orgs in one month: Microsoft

Microsoft has warned users that Raspberry Robin, a relatively new universal serial bus (USB) drive worm, has compromised at least 3,000 devices in almost 1,000 organisations in the past 30 days. Spotted in September 2021 by Red Canary intelligence analysts, Raspberry Robin spreads to other devices via infected USB devices containing a malicious .LNK file.

In July 2022, Microsoft security researchers observed devices infected with Raspberry Robin being installed with the FakeUpdates malware, in which hackers copy the designs of legitimate websites to persuade people to download malware disguised as a browser update, which led to DEV-0243 activity. DEV-0243 is a ransomware-associated activity group that overlaps with actions tracked as EvilCorp by other vendors that was first observed deploying the LockBit ransomware as a service (RaaS) payload in November 2021. Since then, Raspberry Robin has also started deploying IcedID, Bumblebee, and Truebot based on our investigations.  

In October 2022, Microsoft observed Raspberry Robin being used in post-compromise activity attributed to another actor, DEV-0950 (which overlaps with groups tracked publicly as FIN11/TA505). From a Raspberry Robin infection, the DEV-0950 activity led to Cobalt Strike hands-on-keyboard compromises, sometimes with a Truebot infection observed in between the Raspberry Robin and Cobalt Strike stage, Microsoft said in its security blog published on October 27.    

The activity culminated in deployments of the Clop ransomware, a very dangerous malware because the virus can have grave consequences, being capable of contaminating the majority of operating system versions like Windows XP, Windows7, Windows8, Windows8.1, and Windows 10. 

DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages. 

Given the interconnected nature of the cybercriminal economy, it’s possible that the actors behind these Raspberry Robin-related malware campaigns — usually distributed through other means like malicious ads or email — are paying the Raspberry Robin operators for malware installs, Microsoft mentioned in a September update.   

Raspberry Robin attacks involve multi-stage intrusions, and its post-compromise activities require access to highly privileged credentials to cause widespread impact, said Microsoft.   

The tech major recommended that organisations can defend their networks from this threat by having security solutions such as antivirus and endpoint solutions, which are built into Windows, to help detect Raspberry Robin and its follow-on activities, and by applying best practices related to credential hygiene, network segmentation, and attack surface reduction.