IBM Security X-Force researchers have identified similarities between a malicious component used in the Raspberry Robin infection chain and the information-stealing Dridex malware loader, which is linked to the Russia-based Evil Corp group. Given this new data, researchers believe they can also attribute the Raspberry Robin malware to the Russian group.
Impact
Raspberry Robin malware was spreading rapidly in May 2022. At that time DXC was assisting the hunt team in finding indicators. The malware is typically delivered through USB devices containing a malicious LNK file to other devices in the target network. However, the number of infections did not correlate with the number of infected USB devices. If the link to the Dridex malware loader is correct, this would explain why so many diverse organizations were being infected with Raspberry Robin.
DXC perspective
Effective cyber defense tools can block Raspberry Robin. We recommend implementing security awareness training, disabling the AutoRun feature in the Windows operating system, searching for Indicator of Compromise (IoCs) and using endpoint solutions to disable or track USB device connections.