Researchers have identified functional similarities between a malicious component used in the Raspberry Robin infection chain and a Dridex malware loader, further strengthening the operators’ links to the Russia-based Evil Corp group.
The findings suggest that “Evil Corp likely used the Raspberry Robin infrastructure to carry out its attacks,” IBM Security X-Force researcher Kevin Henson said in an analysis Thursday.
The Raspberry Robin (aka QNAP Worm), first discovered by cybersecurity company Red Canary in September 2021, has remained a mystery for nearly a year, in part due to the apparent lack of post-exploit activity in the wild.
That changed in July 2022 when Microsoft revealed that it observed the FakeUpdates (aka SocGholish) malware being delivered through existing Raspberry Robin infections, with possible links identified between DEV-0206 and DEV-0243 (aka Evil Corp).
Malware is known to be distributed from a compromised system via infected USB devices containing a malicious .LNK file to other devices on the target network. Windows shortcut files are designed to retrieve a malicious DLL from a remote server.
“Raspberry Robin loaders are DLLs that decode and run an intermediate loader,” Henson said. “The intermediate loader performs hook detection as an anti-parse technique, decrypts its strings at runtime, and then decodes a very obfuscated DLL whose purpose is not defined.”
Additionally, IBM Security X-Force’s comparative analysis of a 32-bit Raspberry Robin loader and a 64-bit Dridex loader revealed overlap in functionality and structure, with both components including similar anti-analysis code and decoding payloads in an analogous way.
Dridex (aka Bugat or Cridex) is the handiwork of Evil Corp and refers to a banking Trojan with the ability to steal information, install additional malware such as ransomware, and enslave compromised Windows machines in a botnet.
To mitigate Raspberry Robin infections, it is recommended that organizations monitor USB device connections and disable the AutoRun feature in Windows operating system settings.
