Microsoft Hyperlinks Raspberry Robin USB Worm to Russian Evil Corp Accountants

Microsoft on Friday revealed a potential hyperlink between the Raspberry Robin USB bug and the Russian cybercrime group being tracked as Evil Corp.

The tech big stated it noticed the FakeUpdates malware (aka SocGholish) being delivered through an current Raspberry Robin an infection on July 26, 2022.

Raspberry Robin, additionally referred to as the QNAP Worm, is thought to unfold from an contaminated system through contaminated USB units containing malicious .LNK information to different units on the goal community.


The marketing campaign, which was first seen by Pink Canary in September 2021, has been sophisticated by the truth that no follow-up actions have been documented and there’s no actual hyperlink linking it to a identified menace actor or group.

The disclosure marks the primary proof of post-exploit actions carried out by a menace actor when utilizing malware to achieve preliminary entry to a Home windows machine.

“FakeUpdates exercise related to DEV-0206 on affected methods has since led to compliance actions much like the preliminary ransomware habits of DEV-0243,” Microsoft famous.

Raspberry Robin USB Worm

DEV-0206 is Redmond’s monier for an early entry agent that makes use of a JavaScript vulnerability referred to as FakeUpdates to trick targets into downloading pretend browser updates.

The malware, in essence, acts as a conduit for different campaigns that use this entry bought from DEV-0206 to distribute different payloads, significantly the Cobalt Strike payloads related to DEV-0243, often known as Evil Corp.

Additionally referred to as Gold Drake and Indrik Spider, the money-driven hacker group has traditionally operated the Dridex malware and has since advanced and deployed a collection of ransomware households through the years, together with the latest LockBit.


“The usage of paid RaaS by the ‘EvilCorp’ operative group is probably going an try by DEV-0243 to keep away from being related to their group, which can terminate funds attributable to their sanctioned standing,” Microsoft stated.

It was not instantly clear what precisely the connections to Evil Corp, DEV-0206, and DEV-0243 might need.

Katie Nickels, director of intelligence at Pink Canary, stated in a press release shared with The Hacker Information that the findings, if confirmed appropriate, fill a “large hole” with the Raspberry Robin modus.

“We proceed to see Raspberry Robin exercise, however we’ve not been in a position to hyperlink it to any particular particular person, firm, establishment or nation,” Nickels stated.

“Finally, it’s too early to say whether or not Evil Corp is accountable for, or related to, Raspberry Robin. The Ransomware-as-a-Service (RaaS) ecosystem is complicated, the place totally different legal teams cooperate with one another to attain varied targets. Consequently, it may be troublesome to disentangle the connection between households with out applications and the actions into account.”

About the author


Leave a Comment