- Jul 27, 2015
Raspberry Robin, a worm that spreads through Windows systems via USB drives, has rapidly evolved: now backdoor access is being sold or offered to infected machines so that ransomware, among other code, can be installed by cybercriminals.
In a report on Thursday, Microsoft's Security Threat Intelligence unit said Raspberry Robin is now "part of a complex and interconnected malware ecosystem" with links to other families of malicious code and ties to ransomware infections. Ultimately, Raspberry Robin first appeared to be a strange worm that spread from PC to PC with no obvious aim. Now whoever is controlling the malware is seemingly using it to offer access to infected machines so that other software nasties can be deployed, such as ransomware, by other miscreants. "Raspberry Robin's infection chain is a confusing and complicated map of multiple infection points that can lead to many different outcomes, even in scenarios where two hosts are infected simultaneously," the Microsoft researchers wrote.
"There are numerous components involved; differentiating them could be challenging as the attackers behind the threat have gone to extreme lengths to protect the malware at each stage with complex loading mechanisms." According to data collected by Microsoft's Defender for Endpoint tool, almost 3,000 devices in about 1,000 organizations have experienced at least one alert about a malicious payload related to Raspberry Robin in the past 30 days. "Raspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red Canary first reported it in May 2022, to one of the largest malware distribution platforms currently active," they wrote.