Microsoft this week reported that the FakeUpdates malware it tracks as DEV-0206 has been delivered via existing Raspberry Robin infections.
In a blog post, Microsoft explained that Raspberry Robin is a USB-based worm first discussed publicly by Red Canary. The DEV-0206 FakeUpdates activity on affected systems has since led to follow-on action resembling DEV-0243 pre-ransomware behavior.
This was significant because DEV-02043 has been tracked by the cybersecurity industry as the notorious EvilCorp, which has been behind some of the most dramatic band fraud schemes and has been tied to Russian espionage efforts.
According to Microsoft, in DEV-0243’s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.
This alleged partnership is particularly concerning given the large number of victims infected with the "Raspberry Robin" worm, said Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows. Hoffman said the Raspberry Robin activity until this point was rather odd because although several devices were infected, providing remote access to attackers, the attackers had not yet exploited the access.
“Typically, with financially motivated attacks, there will be some kind of secondary phase, such as data exfiltration or ransomware,” Hoffman said. “When access remains persistent for long periods of time like this, it’s more indicative of cyber espionage. So to see EvilCorp taking advantage of this access is alarming, given that the group is sanctioned. Although paying a ransom is never encouraged, it’s ultimately a business decision. However, in terms of dealing with an Evil Corp attack, it’s really a lose/lose situation for organizations.”
Mike Parkin, senior technical engineer at Vulcan Cyber, said threat actors have evolved their own ecosystem with criminals, state and state-sponsored actors, and others working together to reach their goals. Parkin said they are following the same business models we use in the legitimate world, adapted slightly to work within the context of a purely criminal enterprise.
“Just as cybersecurity firms focus on specific areas and collaborate with other companies to present a complete solution, like asset managers, vulnerability scanners, and risk management tools working together, threat actors do the same,” Parkin said. “They are professionals — evil professionals — but professionals just the same.”