Microsoft disclosed Raspberry Robin USB-based Worm can have a connection with pro-Russian hacker group Evil Corp
Raspberry Robin or QNAP Worm is observed to spread from compromised systems to targeted devices under enterprise networks via infected USB devices containing malicious a .LNK files. Red Canary, the cybersecurity management firm linked the Raspberry Robin campaign to a known threat actor. They observed the disclosure marks in the compromised Windows devices which were exploited to leverage malware into the internal system.
According to Microsoft, “The use of a RaaS payload by the ‘EvilCorp’ activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status.”
However, Microsoft didn’t clearly state what specific connection it serves with Evil Corp and DEV-0206 but previously Cobalt Strike loaders have been observed to be attributed to DEV-0243, which was operational by Evil Corp.
Red Canary’s director of intelligence said, “We continue to see Raspberry Robin activity, but we have not been able to associate it with any specific person, company, entity, or country…Ultimately, it’s too early to say if Evil Corp is responsible for, or associated with, Raspberry Robin. The Ransomware-as-a-Service (RaaS) ecosystem is a complex one, where different criminal groups partner with one another to achieve a variety of objectives. As a result, it can be difficult to untangle the relationships between malware families and observed activity.”