Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers

Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers

Russian Evil Corp Hackers

Microsoft on Friday disclosed a potential connection between the Raspberry Robin USB-based worm and an infamous Russian cybercrime group tracked as Evil Corp.

The tech giant said it observed the FakeUpdates (aka SocGholish) malware being delivered via existing Raspberry Robin infections on July 26, 2022.

Raspberry Robin, also called QNAP Worm, is known to spread from a compromised system via infected USB devices containing malicious a .LNK files to other devices in the target network.

The campaign, which was first spotted by Red Canary in September 2021, has been elusive in that no later-stage activity has been documented nor has there any concrete link tying it to a known threat actor or group.

The disclosure, therefore, marks the first evidence of post-exploitation actions carried out by the threat actor upon leveraging the malware to gain initial access to a Windows machine.

“The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior,” Microsoft noted.

Raspberry Robin USB Worm

DEV-0206 is Redmond’s moniker for an initial access broker that deploys a malicious JavaScript framework called FakeUpdates by enticing targets into downloading fake browser updates in the form of ZIP archives.

The malware, at its core, acts as a conduit for other campaigns that make use of this access purchased from DEV-0206 to distribute other payloads, primarily Cobalt Strike loaders attributed to DEV-0243, which is also known as Evil Corp.

Referred to as Gold Drake and Indrik Spider, the financially motivated hacking group has historically operated the Dridex malware and has since switched to deploying a string of ransomware families over the years, including most recently LockBit.

“The use of a RaaS payload by the ‘EvilCorp’ activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status,” Microsoft said.

It’s not immediately clear what exact connections Evil Corp, DEV-0206, and DEV-0243 may have with one another.

Katie Nickels, director of intelligence at Red Canary, said in a statement shared with The Hacker News that the findings, if proven to be correct, fill a “major gap” with Raspberry Robin’s modus operandi.

“We continue to see Raspberry Robin activity, but we have not been able to associate it with any specific person, company, entity, or country,” Nickels said.

“Ultimately, it’s too early to say if Evil Corp is responsible for, or associated with, Raspberry Robin. The Ransomware-as-a-Service (RaaS) ecosystem is a complex one, where different criminal groups partner with one another to achieve a variety of objectives. As a result, it can be difficult to untangle the relationships between malware families and observed activity.”

Austrian spy firm accused by Microsoft says hacking tool was for EU states

A Microsoft logo is seen at a pop-up site at Roosevelt Field in Garden City, New York July 29, 2015. REUTERS/Shannon Stapleton

Register now for FREE unlimited access to

LONDON, July 29 (Reuters) – An Austrian firm which Microsoft (MSFT.O) said created malicious software that was detected on the computer systems of some of its clients in at least three countries has said its spying tool “Subzero” was for official use in EU states only.

On Wednesday, Microsoft said the firm, DSIRF, had deployed the spying software, or spyware — capable of accessing confidential information such as passwords or logon credentials — at an unspecified number of unidentified banks, law firms and strategic consultancies. read more

“Subzero is a software of the Austrian DSIRF GesmbH, which has been developed exclusively for official use in states of the EU. It is neither offered, sold nor made available for commercial use,” DSIRF said in an emailed statement.

Register now for FREE unlimited access to

“In view of the facts described by Microsoft, DSIRF resolutely rejects the impression that it has misused Subzero software,” it added.

It was not clear which EU member state governments, if any, were using the tool. DSIRF did not respond to requests for further comment.

Austria’s interior ministry told local news agency APA on Friday that it was investigating the Microsoft claims. The ministry did not respond to requests from Reuters for comment.

Spyware tools have come into increased focus in Europe and the United States after Pegasus, spyware developed by Israel’s NSO, was found to have been used by governments to spy on journalists and dissidents.

DSIRF said they had commissioned an independent expert to investigate the issues raised by Microsoft, and had reached out to the U.S. tech giant for “collaboration on the issue”.

Microsoft declined to offer further comment.

In its Thursday blog post, the company said DSIRF had developed four so-called “zero-day exploits”, serious software flaws of great value to both hackers and spies because they work even when software is up to date.

DSIRF listed a handful of previous, commercial, clients as references in an internal presentation promoting Subzero that was published by German news website Netzpolitik last year.

Two of the companies that were named in that presentation, SIGNA Retail and Dentons, told Reuters they had not used the spyware and had not consented to be a reference for the company.

DSIRF did not respond to a request for comment on the matter.

Register now for FREE unlimited access to

Reporting by James Pearson
Additional reporting by Michael Shields in Zurich; Editing by Kirsten Donovan

Our Standards: The Thomson Reuters Trust Principles.

Maldev-For-Dummies – A Workshop About Malware Development

Maldev-For-Dummies – A Workshop About Malware Development

In the age of EDR, red team operators cannot get away with using pre-compiled payloads anymore. As such, malware development is becoming a vital skill for any operator. Getting started with maldev may seem daunting, but is actually very easy. This workshop will show you all you need to get started!

This repository contains the slides and accompanying exercises for the ‘MalDev for Dummies’ workshop that will be facilitated at Hack in Paris 2022 (additional conferences TBA). The exercises will remain available here to be completed at your own pace – the learning process should never be rushed! Issues and pull requests to this repo with questions and/or suggestions are welcomed.

Disclaimer: Malware development is a skill that can -and should- be used for good, to further the field of (offensive) security and keep our defenses sharp. If you ever use this skillset to perform activities that you have no authorization for, you are a bigger dummy than this workshop is intended for and you should skidaddle on out of here.

Workshop Description

With antivirus (AV) and Enterprise Detection and Response (EDR) tooling becoming more mature by the minute, the red team is being forced to stay ahead of the curve. Gone are the times of execute-assembly and dropping unmodified payloads on disk – if you want your engagements to last longer than a week you will have to step up your payload creation and malware development game. Starting out in this field can be daunting however, and finding the right resources is not always easy.

This workshop is aimed at beginners in the space and will guide you through your first steps as a malware developer. It is aimed primarily at offensive practitioners, but defensive practitioners are also very welcome to attend and broaden their skillset.

During the workshop we will go over some theory, after which we will set you up with a lab environment. There will be various exercises that you can complete depending on your current skillset and level of comfort with the subject. However, the aim of the workshop is to learn, and explicitly not to complete all the exercises. You are free to choose your preferred programming language for malware development, but support during the workshop is provided primarily for the C# and Nim programming languages.

During the workshop, we will discuss the key topics required to get started with building your own malware. This includes (but is not limited to):

  • The Windows API
  • Filetypes and execution methods
  • Shellcode execution and injection
  • AV and EDR evasion methods

Getting Started

To get started with malware development, you will need a dev machine so that you are not bothered by any defensive tooling that may run on your host machine. I prefer Windows for development, but Linux or MacOS will do just as fine. Install your IDE of choice (I use VS Code for almost everything except C#, for which I use Visual Studio, and then install the toolchains required for your MalDev language of choice:

  • C#: Visual Studio will give you the option to include the .NET packages you will need to develop C#. If you want to develop without Visual Studio, you can download the .NET Framework separately.
  • Nim lang: Follow the download instructions. Choosenim is a convenient utility that can be used to automate the installation process.
  • Golang (not supported during workshop):Follow the download instructions.
  • Rust (not supported during workshop): Rustup can be used to install Rust along with the required toolchains.

Don’t forget to disable Windows Defender or add the appropriate exclusions, so your hard work doesn’t get quarantined!

Note: Oftentimes, package managers such as apt or software management tools such as Chocolatey can be used to automate the installation and management of dependencies in a convenient and repeatable way. Be conscious however that versions in package managers are often behind on the real thing! Below is an example Chocolatey command to install the mentioned tooling all at once.

 choco install -y nim choosenim go rust vscode visualstudio2019community dotnetfx

Compiling programs

Both C# and Nim are compiled languages, meaning that a compiler is used to translate your source code into binary executables of your chosen format. The process of compilation differs per language.


C# code (.cs files) can either be compiled directly (with the csc utility) or via Visual Studio itself. Most source code in this repo (except the solution to bonus exercise 3) can be compiled as follows.

Note: Make sure you run the below command in a “Visual Studio Developer Command Prompt” so it knows where to find csc, it is recommended to use the “x64 Native Tools Command Prompt” for your version of Visual Studio.

csc filename.exe /unsafe

You can enable compile-time optimizations with the /optimize flag. You can hide the console window by adding /target:winexe as well, or compile as DLL with /target:library (but make sure your code structure is suitable for this).


Nim code (.nim files) is compiled with the nim c command. The source code in this repo can be compiled as follows.

nim c filename.nim

If you want to optimize your build for size and strip debug information (much better for opsec!), you can add the following flags.

nim c -d:release -d:strip --opt:size filename.nim

Optionally you can hide the console window by adding --app:gui as well.



Most Nim programs depend on a library called “Winim” to interface with the Windows API. You can install the library with the Nimble package manager as follows (after installing Nim):

nimble install winim


The workshop slides reference some resources that you can use to get started. Additional resources are listed in the files for every exercise!

Cyber Attacks

  1. Espionage (Leslie)

    1. Technology

      1. Spyware
      2. Malware
      3. Adware
      4. Phishing
      5. Botnet
      6. Logger

        1. Keystroke
        2. Monitor
      7. Wi-fi Tools

        1. Using localized networks
        2. Using Mobile tech
        3. Using tablets
      8. Software

        1. Updates
        2. Customized Scripts
        3. Loaded externally
      9. Hacking
      10. Trojans
    2. Methods

      1. Email

        1. PDF attachments
        2. Meeting Requests with Attachments
        3. DOC attachments
        4. Picture attachments
        5. Software updates
      2. USB/external devices
      3. Employees
      4. Contractors/Consultants
      5. Outsiders with Access
      6. Peer-to-Peer networks
  2. Cyber Terrorism (Joe)

    1. Methods

      1. Sabotage

        1. Internal

          1. Planting a Mole
          2. Disgruntled Employee
        2. External

          1. Activists
          2. Terrorist Groups
          3. State Actors
      2. Website Defacement

        1. Send Message
        2. Publicity
      3. Denial of Service

        1. Deter Communication
        2. Suspend System Activity (permanently or temporarily)
    2. Technology

      1. Wired

        1. Internet

          1. Exploiting Defaults
          2. Faulty IIS (Internet Information Service)
          3. Data Mining
          4. Authorization Bypass
        2. Software

          1. Trojan Horse
          2. Virus
          3. Worm
        3. Hardware
        4. Stealing Password

          1. Dictionary Attacks
          2. Hybrid Attacks
          3. Brute Force Attacks
        5. Email

          1. Man-in-the-Middle
          2. Phishing
          3. DNS hijacking
          4. URL manipulation
      2. Wireless

        1. Eavesdropping
        2. Interference
        3. Packet Sniffing
  3. Cyber Identity Theft (Laura)

    1. Technology

      1. Malware

        1. Trojans
        2. Spyware
        3. Worms
        4. Bots

          1. Botnets
        5. Rootkits
        6. Viruses
      2. Exploit tools and kits

        1. ZeuS
      3. Email harvesters
    2. Precedents

      1. Bluetooth-enabled devices planted at gas pumps to read credit card details
      2. Data breaches at large companies (TJ Maxx, Heartland, …)
      3. Pharmamed.php (email harvesting)
      4. Bluesnarfing, bluebugging, HeloMoto
    3. Methods

      1. Computers

        1. Hacking

          1. War-driving
          2. Eavesdropping
          3. Password-based attacks
          4. Compromised-key attacks
          5. Man-in-the-middle attacks
          6. Sniffers
        2. Physical acquisition

          1. Stealing devices
          2. Acquiring improperly disposed-of device
        3. Phishing

          1. Pharming
        4. Mass rebellion

          1. P2P services
        5. Disclosure by employees

          1. Disgruntled employees
          2. Bribery
          3. Unintentional disclosure
        6. Posing

          1. Scam within a scam
          2. Posing as authority, mass-emailing victims of past identity theft
          3. Spoofing
          4. Pranking
          5. Registering another person for a dating site, for example
      2. Mobile devices

        1. Hacking

          1. War-dialing
          2. Eavesdropping
          3. Password-based attacks
          4. Sniffers
          5. Bluebugging and bluesnarfing
        2. Phishing

          1. Smishing
        3. Disclosure by employees

          1. Disgruntled employees
          2. Bribery
          3. Unintentional disclosure
        4. Physical acquisition

          1. Stealing devices
          2. Acquiring improperly disposed-of device
        5. Direct observation

          1. Looking over the user’s shoulder
          2. Camera/video capabilities on devices
      3. ATM skimming
    4. Predictions (2011)

      1. Exploitation of mobile GPS location information
      2. More attacks on social networking sites
      3. Increase in “mixed threats” (email, Web, social media)