Introducing The Low-Key Access Broker Fueling Russian State Cybercrime.

According to recent study, Raspberry Robin is a threat actor that should be closely monitored. It shows that the initial access broker (IAB) is quickly moving past it's humble beginnings and becoming a powerful threat that can support assaults from the top Echelons of the Russian Government. Following a September 2024 alert from the Cybersecurity and infrastructure Security Agency (CISA)  stating that Russian general staffstaff main intelligence Directorate (GRU) unit 29155 was using the IAB to carry out a persistent espionage, disinformation , and sabotage campaign against international targets that began in 2020, including the use of WhisperGate malware against Ukrainian organizations dating back 2022, a new report from silent push details all the technical details of Raspberry Robin's infrastructure.

According to the researcher, Raspberry Robin is employed by a number of Russian threat actors, such as Dridex, SocGholish, and LockBit. Compared to it's initial incarnation as a gang that used compromised USB sticks to distribute it's worm to victims, it represents a significant advancement .

"From 2019 to 2023, Raspberry Robin infected devices via ' bad USB' attacks, most often with print and copy shops," the research stated. " The infected USB drive contained a windows shortcut (LNK) file disguised as a folder, and malicious payloads were activated when users clicked on the suspicious file."

In the Modern era, the gang has advanced to focusing on delicate Government and corporate targets. " The threat actor group uses highly advanced tactics, including leveraging compromised QNAP NAS boxes, Routers, and IoT devices and obfuscating malware through multilayer packing (sometimes using as many as 14 different layers)," said the assessment. " They sell access to other groups, making it challenging to identify their involvement in initial breaches."