Microsoft reports follow-up attacks on Raspberry Robin victims

Analysts with Microsoft Security Threat Intelligence said victims of the Raspberry Robin malware have been further targeted by threat actors, indicating that the worm's operators have sold access to the compromised systems to other ransomware gangs, reports BleepingComputer. Microsoft analysts said they detected deployments of IcedID, Bumblebee and TrueBot payloads via Raspberry Robin beginning Sept. 19. Then, in October, a threat group being tracked as DEV-0950 was observed using Cobalt Strike on infected systems, followed occasionally by Truebot infections and eventually deployment of the Clop ransomware. Earlier in July, Microsoft analysts also reported Evil Corp pre-ransomware behavior on networks in which Raspberry Robin-infected devices had been uploaded with the FakeUpdates backdoor, with the activity attributed to the access broker tracked as DEV-0206. Red Canary analysts first reported Raspberry Robin in September 2021, and the worm, which spreads through infected USB devices that contain a malicious .LNK file, has now infected systems operated by nearly 1,000 organizations within the last month, according to Microsoft.