Financial institutions in Portugal and Spain targeted by new Raspberry Robin malware

Hackers are using a new version of the Raspberry Robin worm to target Spanish and Portuguese financial and insurance institutions, according to research published by Security Joes on Monday.

This worm acts as a loader for other malware — it infects computers via compromised USB devices and then spreads to other devices on a victim’s network.

The researchers did not mention which financial institutions in Spain and Portugal had fallen victim to Raspberry Robin and what damage their networks suffered.

In one case, Raspberry Robin operators used social engineering techniques to trick users into downloading a malicious 7-zip file from their browsers. This file contained a Windows installer designed to drop multiple modules.

In the second case, hackers used a malicious advertisement campaign hosted on a domain with “a bad reputation.” In this case, the malicious archive was stored in a Discord server to avoid detection and contained encoded JavaScript code that, upon execution, dropped a downloader protected with at least five layers of obfuscation.

The new version of the malware is more complex than previous ones, according to Security Joes. It allows its operators “to collect much more data about their victims", said threat researcher Charles Lomboni. 

The malware was also updated with new anti-analysis capabilities. “It seems that developers were busy adding protections to their code to avoid security tools and the curious eyes of malware analysts,” the report found.

Hackers also added an encryption layer, so victim data is no longer available in plain text but  is encrypted with the RC4 cipher.

The original malware strain was discovered in September 2021 and spreads via infected USB drives. It has already been used to target organizations in Hungary, Germany, Russia and India – including those with ties to technology and manufacturing – as well as telecom and government services organizations across Latin America, Australia and Europe.

In July this year, Microsoft tied Raspberry Robin to Russian cybercrime syndicate Evil Corp, which was sanctioned by the U.S. Treasury Department in December 2019. Evil Corp is also known for its connections to multiple ransomware groups, including Bitpaymer, DopplePaymer, WastedLocker and Clop.

The Raspberry Robin worm is part of a complex and interconnected malware ecosystem. In October alone, nearly 3,000 devices at almost 1,000 organizations received at least one Raspberry Robin payload-related alert, according to Microsoft.

“While Raspberry Robin seemed to have no purpose when it was first discovered, it has evolved and is heading towards providing a potentially devastating impact on environments where it’s still installed,” according to a Microsoft Security Threat Intelligence report in October.

Researchers claim that Raspberry Robin will likely continue to develop and lead to more malware distribution and cybercriminal activity.

Security Joes urges other cybersecurity teams to update their defense mechanisms with information about the latest version of Raspberry Robin.