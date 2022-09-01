The ultimate objective of Raspberry Robin had been unknown. Microsoft researchers observed millions of Raspberry Robin infections, but no evidence of post-infection exploits had been seen in the wild until July 26, 2022, when Microsoft disclosed that they had uncovered existing Raspberry Robin infections delivering FAKEUPDATES malware (aka SocGholish).

The disclosure by the Microsoft threat researchers revealed that the “… DEV-0206-associated FAKEUPDATES activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior.” This statement indicates a possible relationship between Raspberry Robin and DEV-0243, which the cyber intelligence community tracks as “Evil Corp”.

The relationship between the threat actor behind FAKEUPDATES and Evil Corp is not new. Evil Corp had been leveraging FAKEUPDATES since at least April 2018 as the initial infection vector for the info-stealing Dridex malware that later resulted in deployment of DOPPLEPAYMER ransomware.

The US Treasury sanctioned Evil Corp in 2019 but the group had already begun deploying custom ransomware-as-a-service (RaaS) payloads, rebranding them as WastedLocker, before shifting to the well-known RaaS LockBit ransomware. Using RaaS allows Evil Corp to blend in with other affiliates that would hinder attribution and ultimately skirt around sanctions.