Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable USB devices.
The malicious code uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure.
The malware was first spotted in September 2021, the experts observed Raspberry Robin targeting organizations in the technology and manufacturing industries. Initial access is typically through infected removable drives, often USB devices.
“Raspberry Robin is typically introduced via infected removable drives, often USB devices. The Raspberry Robin worm often appears as a shortcut .lnk file masquerading as a legitimate folder on the infected USB device.” continues the analysis. “Soon after the Raspberry Robin infected drive is connected to the system, the UserAssist registry entry is updated and records execution of a ROT13-ciphered value referencing a .lnk file when deciphered. In the example below, q:\erpbirel.yax deciphers to d:\recovery.lnk.”
The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.
Then msiexec.exe launches a legitimate Windows utility, fodhelper.exe, which in turn run rundll32.exe to execute a malicious command. Experts pointed out that processes launched by fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt.
According to the researchers, looking for fodhelper.exe as a parent process it is possible to detect the threat.
Last week, Microsoft confirmed that the threat was discovered on the networks of multiple customers, including organizations in the technology and manufacturing sectors.
Now Cybereason researchers reported multiple infections in Europe, the experts investigated a series of recent infections also associated with the name “LNK Worm.”
The attacks monitored by the researchers are leveraging compromised QNAP (Network Attached Storage or NAS) devices as C2.
Below is the infection chain associated with the ongoing Raspberry Robin campaign observed by Cybereason.
The GSOC team summarizes a Raspberry Robin infection as follows :
The malware maintains persistence on the compromised machine through the Windows Registry, it loads the “rundll32.exe” at the startup.
The campaign monitored by Cybereason dates back to September 2021, at this time the company has yet to attribute it to a specific threat actor and its goal is still a mystery.
Below are the recommendations provided by Cybereason:
(SecurityAffairs – hacking, malware)