Hackers use Clop ransomware to target organizations infected with Raspberry Robin worm
A hacker group that is identified simply as DEV-0950 is using CIop ransomware to encrypt the network of organizations that were previously infected with the Raspberry Robin worm.
Raspberry Robin is a Windows worm that spreads via a removable USB device. It uses the Windows installer to access QNAP associated domains and download a malicious DLL. The malware then uses TOR exit nodes as a backup C2 infrastructure.
The malware uses cmd.exe to read and execute a file stored on the infected external drive. It leverages msiexec.exe for external network communication to a rogue domain, which is used as C2 to download and install a DLL library file.
Although the malware was used in post compromise activity linked to DEV-0950, data collected by Microsoft Defender for Endpoint show that nearly 3,500 devices in nearly 1,000 organizations have been compromised in the last 30 days with at least one RaspberryRobin payload-related alert.
The attacks carried out by the DEV-0950 led to the use of the Cobalt Strike beacon. In other cases, the attackers delivered Truebot malware between the Raspberry Robin infection and the Cobalt Strike deployment. Investigations further show that experts observed the worm infections using IcedID Bumblebee and TrueBot payloads starting on September 19, 2022, with the last stage of the attack being the deployment of the CIop ransomware.
However, DEV-0950 is not the only threat actor to exploit the vulnerability to launch ransomware attacks on organizations. Researchers observed the spread of FakeUpdates via Raspberry Robin malware. According to Microsoft researchers, another threat actor, identified as DEV-0206, was responsible for using the worm to deploy a downloader on networks controlled by threat actors with Evil Corp TTPs.
The researchers explained that DEV-0206 is an access broker that uses malware advertising campaigns to compromise corporate networks.
“DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages. Given the interconnected nature of the cybercriminal economy, it is possible that the actors behind these Raspberry Robin-related malware campaigns— usually distributed through other means like malicious ads or email- are paying the Raspberry Robin operators for malware installs,” reads the report published by Microsoft.
The sources for this piece include an article in SecurityAffairs.