Raspberry Robin: A destructive malware dropper is on the rise

Raspberry Robin is a worm-like malware dropper that sells initial access to compromised networks to ransomware gangs and malware operators. It has been previously associated with FIN11 and the Clop gang, as well as Bumblebee, IcedID, and TrueBot payload distribution.

First discovered in September 2021, Raspberry Robin is recognized as a component of a sophisticated network of related malware that is currently spreading like wildfire. It started out as a loader for other malware, specifically DEV-0950 (spreading Cl0p ransomware), even though it wasn’t seen with any post-infection exploits until recently. Since September 2022, it has expanded to roughly 3,000 systems that are a part of almost 1,000 businesses.

The most common attack technique used to deploy Raspberry Robin is for hackers to trick victims into installing a ZIP file by placing an advertisement over a malicious web page. It spreads easily through infected portable discs, usually USB devices. The malware has recently been trying its hand at some trickery by dropping a fake payload to confuse researchers and evade detection when it detects it’s being run within sandboxes and debugging tools.

Most of these infections have been detected in Argentina, followed by Australia, Mexico, Croatia, Italy, Brazil, France, India, and Colombia. Industries such as telecommunications service providers, government systems, and the financial and insurance sectors are the most targeted by Raspberry Robin operators.

SISA’s Latest
close slider