ClickCease Hackers target organizations with CIop ransomware

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Hackers use Clop ransomware to target organizations infected with Raspberry Robin worm

Obanla Opeyemi

November 9, 2022 - TuxCare expert team

A hacker group that is identified simply as DEV-0950 is using CIop ransomware to encrypt the network of organizations that were previously infected with the Raspberry Robin worm.

Raspberry Robin is a Windows worm that spreads via a removable USB device. It uses the Windows installer to access QNAP associated domains and download a malicious DLL. The malware then uses TOR exit nodes as a backup C2 infrastructure.

The malware uses cmd.exe to read and execute a file stored on the infected external drive. It leverages msiexec.exe for external network communication to a rogue domain, which is used as C2 to download and install a DLL library file.

Although the malware was used in post compromise activity linked to DEV-0950, data collected by Microsoft Defender for Endpoint show that nearly 3,500 devices in nearly 1,000 organizations have been compromised in the last 30 days with at least one RaspberryRobin payload-related alert.

The attacks carried out by the DEV-0950 led to the use of the Cobalt Strike beacon. In other cases, the attackers delivered Truebot malware between the Raspberry Robin infection and the Cobalt Strike deployment. Investigations further show that experts observed the worm infections using IcedID Bumblebee and TrueBot payloads starting on September 19, 2022, with the last stage of the attack being the deployment of the CIop ransomware.

However, DEV-0950 is not the only threat actor to exploit the vulnerability to launch ransomware attacks on organizations. Researchers observed the spread of FakeUpdates via Raspberry Robin malware. According to Microsoft researchers, another threat actor, identified as DEV-0206, was responsible for using the worm to deploy a downloader on networks controlled by threat actors with Evil Corp TTPs.

The researchers explained that DEV-0206 is an access broker that uses malware advertising campaigns to compromise corporate networks.

“DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages. Given the interconnected nature of the cybercriminal economy, it is possible that the actors behind these Raspberry Robin-related malware campaigns— usually distributed through other means like malicious ads or email- are paying the Raspberry Robin operators for malware installs,” reads the report published by Microsoft.

The sources for this piece include an article in SecurityAffairs.

Summary
Hackers use Clop ransomware to target organizations infected with Raspberry Robin worm
Article Name
Hackers use Clop ransomware to target organizations infected with Raspberry Robin worm
Description
A hacker group that is identified simply as DEV-0950 is using CIop ransomware to encrypt the network of organizations.
Author
Publisher Name
Tuxcare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023