Posted on August 3, 2022 at 9:26 AM
Microsoft Links EvilCorp Hackers to Raspberry Robin USB Malware
Microsoft has linked the recent ‘Raspberry Robin’ USB-based worm attacks to the Russian ransomware operator EvilCorp.
The ransomware-as-a-service group, sanctioned by the U.S. government, tracked as DEV-0206. The group has been discovered rigging online ads and tricking their targets into installing a loader for more onslaughts on their targets.
Based on the data from Microsoft’s research team, the EvilCorp gang was discovered distributing attack tactics. The malware was discovered the Raspberry Robin worm wriggling through corporate networks earlier this week.
Microsoft also discovered that the threat actors responsible for the malware are working closely with other malware operators to circumvent the sanctions placed by the U.S. Justice Department that block ransomware extortion payments.
The Malware Infects Systems Through Hacked USB Devices
The tech giant added that it discovered the FakeUpdates (also called SocGholish) malware being delivered through existing Raspberry Robin infections on July 26, 2022.
The Raspberry Robin worm is known to distribute its malware from an infiltrated system through hacked USB devices that contain malicious a.LNK files.
The malware campaign was initially discovered by Red Canary last September. It has eluded security software and cybersecurity companies over the years. The threat actors responsible for the malware have been very careful to make it elusive that no later-stage activity has been recorded about the malware. Before now, researchers have not been able to link it to any threat group.
Therefore, the disclosure is the first time the threat group has been discovered carrying out exploitations after leveraging malware to gain initial access to a Windows machine.
The use of the RaaS payload by the threat group is likely an attempt by DEV-0243 to circumvent security software and avoid tying the action to the group. This could have discouraged payment from the victims because of their sanctioned status.
The Worm Carries Out Several Actions
According to Microsoft, EvilCorp is allegedly operated by Russian nationals, Igor Turashev and Maksim Takubets, who was charged by the US in 2019.
Once the worm has succeeded in infiltrating the target’s system, EvilCorp takes over with several actions. They can download additional payloads, carry out several hands-on keyboard operations, deploy data encryption ransomware, and escalate privileges in a corporate network.
The warnings by Microsoft are coming barely a week after cybersecurity company Red Canary stopped a Windows worm taking advantage of hacked QNAP network-attached storage (NAS) in preparation to spread malware to new systems.
More Threat Groups Move From High-Profile Attacks
The Raspberry Robin USB-based worm has also been discovered to spreading in organizations different organizations, including those in the manufacturing and technology sectors.
Ransomware attacks have increased in recent times, as more threat groups seek funds by stealing vital data from major organizations. While some of these attackers are from private groups, others are state actors sponsored by rival countries.
Ransomware recovery company Coveware recently stated that the average ransom payment surged 8% from the last quarter, hitting about $228,000. The company also noted that the median ransom payments have reduced to $36,360, which is a 51% decline from Q1 2022.
This trend is evidence that there is a shift of RaaS developers and affiliates towards the mid-market. Here, the risk-to-reward ratio of attack is less risky and more consistent than high profile attacks.
Additionally, more top organizations are now refusing to pay high ransoms, opting not to succumb to threats by hackers. In most cases, they stop considering negotiations when ransomware groups demand extremely high ransoms, according to Coveware.
Coveware enables victimized organizations to pass through the negotiation process and enable them to recover their data from the threat actors. The company stated that data exfiltration is still very common in ransomware cases.
“The proportion of companies that succumb to data exfiltration extortion continues to confound and frustrate,” Coveware noted.
The firm added that there is enough evidence that the threat actors are not to be trusted when they promise to destroy the data after ransom payments. But despite its warnings, the victims have continued to make the data exfiltration industry boom by paying up ransoms.