Attacks Cloud Data Executive Decisions IoT Malware Mobile Network Security Strategy Threat Defense
Hub Image

IOTW: Microsoft links Raspberry Robin malware to hacking group EvilCorp

The USB-based worm has been linked to malvertising activity by Russian hacking group EvilCorp

Add bookmark
Olivia Powell
Olivia Powell
08/03/2022
Microsoft links Raspberry Robin malware to hacking group EvilCorp

Microsoft has linked a USB-based worm malware, referred to as Raspberry Robin, to attacks executed by Russian hacking group EvilCorp.

Microsoft explained in a recent report that on July 26, 2022, its researchers discovered “FakeUpdates malware being delivered via existing Raspberry Robin infections”. The FakeUpdates malware associated with DEV-0206 is a malvertising access broker that poses as a software or browser update and tricks victims into clicking on it. This then allows the bad actors to gain access to profile networks via a JavaScript file stored inside a Zip file, which downloads when the false update is clicked. As JavaScript files typically run when double-clicked, this allows the JavaScript file to run on the victim’s computer.

The DEV-0206 activity was tracked by Microsoft, who revealed that the “activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior.” This DEV-0243 behavior is linked to activity perpetrated by hacking group EvilCorp.

What is EvilCorp?

EvilCorp is a hacking group notorious for developing and releasing Dridex malware, which can infect computers and harvest login details for banks and other financial institutions. In a press release from 2019, the US Department of the Treasury said that this malware had been used in more than 40 countries to steal more than US$100m.

What is Raspberry Robin?

Raspberry Robin was originally discovered by cyber security company Red Canary in September 2021 after noticing and tracking a cluster of activity caused by the worm.

Raspberry Robin is installed on computers via a compromised USB, which then introduces the worm to the computer’s system. The worm then goes on to read and execute a malicious file stored on the USB drive, which, if successful, downloads, installs and executes a malicious dynamic-link library file (.dll). Finally, the worm repeatedly attempts to execute outbound connections, typically to The Onion Routing (TOR) nodes. TOR nodes can conceal a user’s location from the connection destination.

Red Canary reported that it had seen Raspberry Robin activity in organizations linked to the manufacturing and technology sectors, although the company noted that it was unclear as to whether there was any connection between the companies affected by the malware. 

Discussing the purpose of the Raspberry Robin worm when it was first discovered, Red Canary admitted that it was unsure “how or where Raspberry Robin infects external drives to perpetuate its activity”, though the company suggested that this “occurs offline or otherwise outside of our visibility”.

The organization also said that its “biggest question concerns the operators’ objectives”. This uncertainty is due to a lack of information on later-stage activity, meaning Red Canary are unable to “make inferences on the goal or goals of these campaigns”. The company did say, however, that it hoped the information uncovered on Raspberry Robin will help in wider efforts when detecting and tracking Raspberry Robin activity. 

Tags: Raspberry Robin Microsoft EvilCorp malware worm malvertising threat defense IOTW Incident of the Week

Recommended

info@cshub.com/r/n

We hope you enjoy All Access from CS Hub!!<\/p>\r\n<p>Best Regards,<\/p>\r\n<p><a href=https://www.cshub.com/"https:////www.cshub.com///" target=\"_blank\">CS Hub Team<\/a><\/p>\r\n<p>P.S. Be sure to check out our other upcoming <a href=https://www.cshub.com/"https:////www.cshub.com//events?filter_format=ONLINE\%22 target=\"_blank\">All Access events here<\/a>.<\/p>\r\n<p>--------------------------------<\/p>\r\nConnect with us on Social Media: <a href=https://www.cshub.com/"https:////www.linkedin.com//groups//12067996///" target=\"_blank\">LinkedIn<\/a> | <a href=https://www.cshub.com/"https:////twitter.com//CSHubUSA/" target=\"_blank\">Twitter<\/a><\/p>\r\n<p>--------------------------------<\/p>\r\n<p>FAQS<\/p>\r\n<p><b>Can I invite my colleagues?<\/b><br>Yes of course! Please send them this link so they can register for free! [WebUrl]<\/p>\r\n\r\n<p><b>How do I access the sessions?<\/b><br>\r\nAll Access is run on Zoom Events. You should receive an email shortly from Zoom Events with your unique All Access link to the event lobby. Please hold on to that email ahead of the event. We\u2019ll also send you a reminder 24 hours before we go live!<\/p>\r\n\r\n<p><b>Will the agenda be updated?<\/b><br>\r\nYes, the agenda will be continuously updated on the website with the latest sessions & speakers. As we get closer to the event, also look out for our weekly updates which will also include the latest updates information and link to access the event.<\/p>\r\n<p><b>Can I access the sessions On Demand?<\/b><br>\r\nEvery session will be available after the event via the event lobby. We\u2019ll also send you a reminder about the On Demand sessions which will be sent to you after the event is over.<\/p>\r\n<p>--------------------------------<\/p>\r\n<p>RELATED RESOURCES TO READ BEFORE YOUR EVENT<\/p>\r\n<ul>\r\n <li><a href=https://www.cshub.com/"https:////www.cshub.com//executive-decisions//reports//cs-hub-mid-year-market-report-2022?utm_source=eco-event-confirmation-email&utm_medium=email&utm_campaign=eco-event-confirmation-email\%22 target=\"_blank\">CS Hub Mid-Year Market Report 2022<\/a><\/li>\r\n <li><a href=https://www.cshub.com/"https:////www.cshub.com//security-strategy//reports//ciso-strategies-for-proactive-threat-prevention?utm_source=eco-event-confirmation-email&utm_medium=email&utm_campaign=eco-event-confirmation-email\%22 target=\"_blank\">CISO strategies for proactive threat prevention<\/a><\/li>\r\n <li><a href=https://www.cshub.com/"https:////www.cshub.com//security-strategy//reports//how-to-strengthen-email-security-and-protection-against-advanced-ransomware-attacks?utm_source=eco-event-confirmation-email&utm_medium=email&utm_campaign=eco-event-confirmation-email\%22 target=\"_blank\">How to strengthen email security and protection against advanced ransomware attacks<\/a><\/li>\r\n<\/ul>","event_registration_srs_confirmation_email":null,"assets_from_cdn":true},"bant_disabled":1,"sponsorship_disclaimer":null,"sponsorship_disclaimer_text":null,"sponsorship_disclaimer_checkbox_disabled":0,"ext_treat_id":null,"recording_url":null,"file_attachment":null,"ingo_enabled":null,"ingo_activator_id":null,"ingo_autofiller_id":null,"ingo_amplifier_id":null,"ingo_authorizer_id":null,"restricted_content":0,"featured_events_embedded":[],"featured_content_embedded":[{"id":"5b04b5dc97533d72c14f8d65","name":"Hacks Are Happening Because Ex-Employees Still Have Access","description":null,"file":null,"url":"\/executive-decisions\/news\/hacks-are-happening-because-ex-employees-still"},{"id":"62e163ec41618908fd2621ca","name":"IOTW: Uber reaches settlement following cover up of data breach","description":"The ride-sharing app has admitted to covering up a major data breach in 2016 that affected 57 million users","file":null,"url":"\/attacks\/news\/iotw-uber-reaches-settlement-following-coverup-of-data-breach"},{"id":"5f873e69d1d92e4ce57e8a14","name":"IOTW: Ethical Hackers Discover Several Apple Vulnerabilities\u2014And The Payout May Reach A Half-A-Million Dollars.","description":null,"file":null,"url":"\/attacks\/articles\/iotw-ethical-hackers-discover-several-apple-vulnerabilitiesand-the-payout-may-reach-a-half-a-million-dollars"},{"id":"62b5bb5c22533456467c2e6c","name":"IOTW: CISA reveals 130GB Log4shell breach","description":"The CISA has warned that cyber criminals continue to exploit the Log4Shell vulnerability","file":null,"url":"\/attacks\/news\/iotw-cisa-reveals-130gb-log4shell-breach"},{"id":"62976e8d312025626919029a","name":"IOTW: Turkish-based airline leaves 6.5 TB of sensitive data exposed","description":"SafetyDetectives discovers 6.5 TB of sensitive data exposed on a Turkish-based Pegasus Airlines AWS S3 bucket","file":null,"url":"\/attacks\/news\/iotw-turkish-based-airline-leaves-65-tb-of-sensitive-data-exposed"}],"featured_content_portal_embedded":null}" >

FIND CONTENT BY TYPE

News Case Studies Interviews White Papers Videos

Cyber Security Hub COMMUNITY

About Us Power10 Contact Us Advertise with us Cookie Policy User Agreement Become a Contributor All Access from CS Hub Become a Member Today Media Partners

ADVERTISE WITH US

Advertise Now

JOIN THE Cyber Security Hub COMMUNITY

Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.

Cyber Security Hub, a division of IQPC

© 2026 All rights reserved. Use of this site constitutes acceptance of our User Agreement, Privacy Policy and Cookies Settings.

Careers With IQPC | Contact Us | About Us | Cookie Policy