微软将 Raspberry Robin USB 蠕虫与俄罗斯黑客组织联系起来

Microsoft on Friday disclosed a potential connection between the Raspberry Robin USB-based worm and an infamous Russian cybercrime group tracked as Evil Corp.

微软周五披露了基于 Raspberry Robin USB 的蠕虫与一个臭名昭著的俄罗斯网络犯罪组织 Evil Corp 之间存在的潜在联系。

The tech giant said it observed the FakeUpdates (aka SocGholish) malware being delivered via existing Raspberry Robin infections on July 26, 2022.

这家科技巨头表示，它观察到FakeUpdates（又名 SocGholish）恶意软件于 2022 年 7 月 26 日通过现有的 Raspberry Robin 感染传播。

Raspberry Robin, also called QNAP Worm, is known to spread from a compromised system via infected USB devices containing malicious a .LNK files to other devices in the target network.

Raspberry Robin，也称为 QNAP 蠕虫，通过包含恶意 .LNK 文件的受感染 USB 设备从受感染的系统传播到目标网络中的其他设备。

The campaign, which was first spotted by Red Canary in September 2021, has been elusive in that no later-stage activity has been documented nor has there any concrete link tying it to a known threat actor or group.

该活动于 2021 年 9 月由 Red Canary 首次发现，一直难以捉摸，因为没有记录后期活动，也没有任何具体联系将其与已知的攻击者或组织联系起来。

The disclosure, therefore, marks the first evidence of post-exploitation actions carried out by the threat actor upon leveraging the malware to gain initial access to a Windows machine.

因此，该披露标志着攻击者在利用恶意软件获得对 Windows 机器的初始访问权限时执行的利用后行动的第一个证据。

"The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior," Microsoft noted.

“自那以后，受影响系统上与DEV-0206相关的FakeUpdates活动导致了类似于DEV-0243勒索前行为的后续行动，”微软指出。

DEV-0206 is Redmond's moniker for an initial access broker that deploys a malicious JavaScript framework called FakeUpdates by enticing targets into downloading fake browser updates in the form of ZIP archives.

DEV-0206 是 Redmond 对初始访问代理的绰号，该代理通过诱使目标下载 ZIP 存档形式的虚假浏览器更新，来部署名为 FakeUpdates 的恶意 JavaScript 框架。

The malware, at its core, acts as a conduit for other campaigns that make use of this access purchased from DEV-0206 to distribute other payloads, primarily Cobalt Strike loaders attributed to DEV-0243, which is also known as Evil Corp.

该恶意软件的核心是充当其他活动的渠道，这些活动利用从 DEV-0206 购买的访问权限来分发其他有效载荷，主要是归因于 DEV-0243（也称为 Evil Corp）的 Cobalt Strike 加载程序。

Referred to as Gold Drake and Indrik Spider, the financially motivated hacking group has historically operated the Dridex malware and has since switched to deploying a string of ransomware families over the years, including most recently LockBit.

被称为 Gold Drake 和 Indrik Spider，出于经济动机的黑客组织历来运营 Dridex 恶意软件，并且多年来已转向部署一系列勒索软件系列，包括最近的LockBit。

"The use of a RaaS payload by the 'EvilCorp' activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status," Microsoft said.

“EvilCorp”活动组使用RaaS有效载荷可能是DEV-0243试图避免归因于他们的组，这可能会因为他们的受制裁状态而阻碍付款，”微软说。

It's not immediately clear what exact connections Evil Corp, DEV-0206, and DEV-0243 may have with one another.

目前尚不清楚 Evil Corp、DEV-0206 和 DEV-0243 之间可能存在哪些确切联系。

Katie Nickels, director of intelligence at Red Canary, said in a statement shared with The Hacker News that the findings, if proven to be correct, fill a "major gap" with Raspberry Robin's modus operandi.

Red Canary 情报总监 Katie Nickels 在与 The Hacker News 分享的一份声明中表示，如果这些发现被证明是正确的，将填补 Raspberry Robin 的作案手法的“重大空白”。

"We continue to see Raspberry Robin activity, but we have not been able to associate it with any specific person, company, entity, or country," Nickels said.

“我们继续看到 Raspberry Robin 的活动，但我们无法将其与任何特定的个人、公司、实体或国家联系起来，”Nickels 说。

"Ultimately, it's too early to say if Evil Corp is responsible for, or associated with, Raspberry Robin. The Ransomware-as-a-Service (RaaS) ecosystem is a complex one, where different criminal groups partner with one another to achieve a variety of objectives. As a result, it can be difficult to untangle the relationships between malware families and observed activity."

“最终，现在说 Evil Corp 是否对 Raspberry Robin 负责或与之相关还为时过早。勒索软件即服务 (RaaS) 生态系统是一个复杂的生态系统，不同的犯罪集团相互合作以实现各种目标。因此，很难理清恶意软件家族与观察到的活动之间的关系。”

知其雄，守其雌，为天下溪；知其白，守其黑，为天下式，知其荣，守其辱，为天下谷。

——《道德经.第二十八章》

本文翻译自：

https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html

如若转载，请注明原文地址

翻译水平有限 :(

有歧义的地方，请以原文为准 ：）