Examining Malware Distribution Behaviours
Part 1: Raspberry Robin
By now, the Access-as-a-Service specialization of the cybercrime ecosystem is well understood within the security research community. Threat actors have access to a wide variety of loaders, big and small, established and emerging, to gain initial access to a target network and perform follow-on activities. Multiple vendors have predicted that the loader ecosystem will only continue to increase in popularity in 2023.
For CTI analysts, it can be difficult to stay on top of the increasingly complex infection chains that underpin the most popular threats we face today. This blog will provide analysts a resource to preempt some of the most devastating post-compromise activity by understanding the distribution behaviours of loaders. Along the way, we will use open-source reporting to contextualise the relationships, and sometimes cooperation, at play between the operators of these loaders and their customers.
Explaining the Behaviours
The first example in this series will be the Raspberry Robin infection chain, as recently reported by Microsoft. A worm originally spread via USB devices, Raspberry Robin has evolved to distribute a wide variety of final-stage malware, such has LockBit and Cl0p ransomware. However, there are a few more useful observations to be made.
Raspberry Robin and EvilCorp
Firstly, Microsoft has attributed the development and delivery of Raspberry Robin to EvilCorp (aka Indrik Spider, DEV-0243), which supports earlier findings by IBM X-Force, who noted similarities between the loader and the Dridex malware family. Raspberry Robin also notably delivers the SocGholish loader, which is operated by TA569 (aka UNC2165, DEV-0206), and has been used as a primary method of initial access into target networks by EvilCorp since 2019. SocGholish then delivers an EvilCorp-operated Cobalt Strike beacon that has ultimately lead to the deployment of LockBit ransomware. Members of EvilCorp have used LockBit ransomware in the past to evade sanctions, so it makes sense that this final-stage activity was likely performed by such an affiliate.
It is likely that EvilCorp has shifted from Dridex to Raspberry Robin for initial access and malware distribution. By extension, the presence of the Raspberry Robin loader on a network could be viewed as a precursor to EvilCorp follow-on activity, which can include human-operated ransomware.
EvilCorp and Wizard Spider
Raspberry Robin has also been observed loading instances of the notorious BumbleBee and IcedID loaders, which are operated by multiple groups under the Wizard Spider/Conti umbrella. The possibility of a working relationship between members of EvilCorp and Wizard Spider has recently been explored by researchers at eSentire in light of the Cisco breach in August. Whilst the tactics, techniques and procedures (TTP) of the intrusion was indicative of EvilCorp, the infrastructure used had matched that of a known Conti ransomware affiliate. The idea that relationships exist between members of large cybercrime enterprises is certainly not new, however, it is possible that EvilCorp-owned Raspberry Robin loading Wizard Spider malware onto victim networks represents a continuation of an existing relationship between the two groups. For an analyst concerned about ransomware activity linked with Wizard Spider sub-groups, it is important to understand these relationships in the context of precursor activity.
Mapping the Behaviours
To ensure this information is actionable, the relationships between the various malware families and those that operate and use them have been mapped to the STIX 2 standard. Where possible, software and groups have been used from the MITRE ATT&CK STIX data set; in other cases, custom objects have been created, which I intend to modify over time as new intelligence becomes available.
The JSON for Raspberry Robin is available on GitHub here.
The above STIX visualizer can be accessed here.
Why do I care?
By understanding what follow-on attacks an initial loader infection (like Raspberry Robin) is known to lead to, defenders can prioritize detection and response for malware or threat actors that are of high risk to their organisation.