ICYMI: Dark Web Happenings Edition With Evil Corp., MSP Targeting & More

Dark Reading's digest of other "don't-miss" stories of the week — including a Microsoft alert connecting disparate cybercrime activity together, and an explosion of Luca Stealer variants after an unusual Dark Web move.

Source: Ron Bennett via Alamy Stock Photo

Being a cybersecurity-focused news team is a busy business, and we can't always bring you all the news that's fit to print in a given week. That's why we've developed our weekly digest that rounds up all of the things that we couldn't get to, in case you missed it (ICYMI).

This week, we go deep into the world of the cybercrime underground, and how these markets and the complex relationships typically function.

ICYMI, read on for the following stories from the Dark Web:

  • Raspberry Robin USB Worm Linked to Evil Corp.

  • Initial Access Brokers Are Now Actively Targeting MSPs

  • Dozens of Luca Stealer Variants Rise Up After Author Goes Open Source

Raspberry Robin USB Worm Linked to Evil Corp.

Raspberry Robin, a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a target's network, has been marshalled into service to enable a campaign that appears to track with Evil Corp. tactics.

According to an updated alert from Microsoft on Thursday, existing, dormant Raspberry Robin infections are being used by a known initial access broker (tracked by the tech giant as DEV-0206) to deploy the FakeUpdates malware, which in turn fetches additional code.

At this point, Evil Corp. takes over, according to the analysis. In this stage, FakeUpdates delivers Cobalt Strike and other hallmarks of "pre-ransomware," before deploying a custom in-house ransomware payload such as WastedLocker, PhoenixLocker, or Macaw.

"Around November 2021, [Evil Corp.] started to deploy the LockBit 2.0 … payload in their intrusions," according to the post. "The use of a RaaS payload by the Evil Corp. activity group is likely an attempt … to avoid attribution to their group, which could discourage payment due to their sanctioned status."

DEV-0206 and Evil Corp. have worked together for a while, Microsoft notes, but the initial access was before achieved via malvertising. The connection to Red Raspberry is new and notable, according to the researchers.

"We continue to see Raspberry Robin activity, but we have not been able to associate it with any specific person, company, entity, or country," says Katie Nickels, director of intelligence at Red Canary, which first discovered the threat in 2021. "Ultimately, it’s too early to say if Evil Corp is responsible for, or associated with, Raspberry Robin."

Initial Access Brokers Are Now Actively Targeting MSPs

Initial access brokers (IABs) are a key piece of the underground economy; they break into networks, establish backdoors, then rent that access to fellow nefarious types. Researchers at Huntress this week revealed a new twist: IABs actively hawking access to a managed service provider (MSP) as a way to get to their downstream customers.

Huntress CEO Kyle Hanslovan came across an ad on an underground forum offering just such access, boasting that the rental would include an "in" to the networks of at least 50 of the MSP's customers.

MSPs were, infamously, the target for the Kaseya fiasco, which resulted in more than 5,000 organizations suffering REvil ransomware attacks.

MSPs remain an attractive supply chain target for attackers of all types, as flagged by US federal agencies in May. A warning for MSPs and their customers noted that MSPs in multiple countries (including Australia, Canada, New Zealand and the UK) were likely being actively targeted.

Dozens of Luca Stealer Variants Rise Up After Author Goes Open Source

The infostealing baddie known as Luca Stealer is about to become more prevalent on the cybercrime scene, researchers are warning, thanks to the source code being revealed online.

Researchers at Cyble said this week that the developer of the Rust-coded malware decided to openly post the source code on cybercrime forums and on GitHub on July 3, in hopes of burnishing a fledgling reputation as a malware coder. It's an odd move in a world where custom malware can be rented out at a premium.

Less than a month later, there are already more than 25 Luca Stealer samples making the rounds, developed by multiple threat actors. And there will likely be even more, given that the original author continued to update the GitHub code, and has provided helpful tips on how to modify it for crime and profit.

Luca Stealer has a host of concerning capabilities, including the ability to lift data from Chromium-based browsers, exfiltrate files, and steal information from messaging applications and cryptowallets. In current observed campaigns, cybercriminals are especially going after crypto enthusiasts, according to Cyble.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights