This week, we go deep into the world of the cybercrime underground, and how these markets and the complex relationships typically function.
ICYMI, read on for the following stories from the Dark Web:
- Raspberry Robin USB Worm Linked to Evil Corp.
- Initial Access Brokers Are Now Actively Targeting MSPs
- Dozens of Luca Stealer Variants Rise Up After Author Goes Open Source
Raspberry Robin USB Worm Linked to Evil Corp.
Raspberry Robin, a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a target’s network, has been marshalled into service to enable a campaign that appears to track with Evil Corp. tactics.
According to an updated alert from Microsoft on Thursday, existing, dormant Raspberry Robin infections are being used by a known initial access broker (tracked by the tech giant as DEV-0206) to deploy the FakeUpdates malware, which in turn fetches additional code.
At this point, Evil Corp. takes over, according to the analysis. In this stage, FakeUpdates delivers Cobalt Strike and other hallmarks of “pre-ransomware,” before deploying a custom in-house ransomware payload such as WastedLocker, PhoenixLocker, or Macaw.
“Around November 2021, [Evil Corp.] started to deploy the LockBit 2.0 … payload in their intrusions,” according to the post. “The use of a RaaS payload by the Evil Corp. activity group is likely an attempt … to avoid attribution to their group, which could discourage payment due to their sanctioned status.”
DEV-0206 and Evil Corp. have worked together for a while, Microsoft notes, but the initial access was before achieved via malvertising. The connection to Red Raspberry is new and notable, according to the researchers.
“We continue to see Raspberry Robin activity, but we have not been able to associate it with any specific person, company, entity, or country,” says Katie Nickels, director of intelligence at Red Canary, which first discovered the threat in 2021. “Ultimately, it’s too early to say if Evil Corp is responsible for, or associated with, Raspberry Robin.”
Initial Access Brokers Are Now Actively Targeting MSPs
Initial access brokers (IABs) are a key piece of the underground economy; they break into networks, establish backdoors, then rent that access to fellow nefarious types. Researchers at Huntress this week revealed a new twist: IABs actively hawking access to a managed service provider (MSP) as a way to get to their downstream customers.
Huntress CEO Kyle Hanslovan came across an ad on an underground forum offering just such access, boasting that the rental would include an “in” to the networks of at least 50 of the MSP’s customers.
MSPs were, infamously, the target for the Kaseya fiasco, which resulted in more than 5,000 organizations suffering REvil ransomware attacks.
MSPs remain an attractive supply chain target for attackers of all types, as flagged by US federal agencies in May. A warning for MSPs and their customers noted that MSPs in multiple countries (including Australia, Canada, New Zealand and the UK) were likely being actively targeted.
Dozens of Luca Stealer Variants Rise Up After Author Goes Open Source
The infostealing baddie known as Luca Stealer is about to become more prevalent on the cybercrime scene, researchers are warning, thanks to the source code being revealed online.
Researchers at Cyble said this week that the developer of the Rust-coded malware decided to openly post the source code on cybercrime forums and on GitHub on July 3, in hopes of burning a fledgling reputation as a malware coder. It’s an odd move in a world where custom malware can be rented out at a premium.
Less than a month later, there are already more than 25 Luca Stealer samples making the rounds, developed by multiple threat actors. And there will likely be even more, given that the original author continued to update the GitHub code, and has provided helpful tips on how to modify it for crime and profit.
Luca Stealer has a host of concerning capabilities, including the ability to lift data from Chromium-based browsers, exfiltrate files, and steal information from messaging applications and cryptowallets. In current observed campaigns, cybercriminals are especially going after crypto enthusiasts, according to Cyble.