Ongoing Raspberry Robin campaign leverages compromised QNAP devices

Pierluigi Paganini July 09, 2022

Cybereason researchers are warning of a wave of attacks spreading the wormable Windows malware Raspberry Robin.

Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable USB devices.

The malicious code uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure.

The malware was first spotted in September 2021, the experts observed Raspberry Robin targeting organizations in the technology and manufacturing industries. Initial access is typically through infected removable drives, often USB devices.

“Raspberry Robin is typically introduced via infected removable drives, often USB devices. The Raspberry Robin worm often appears as a shortcut .lnk file masquerading as a legitimate folder on the infected USB device.” continues the analysis. “Soon after the Raspberry Robin infected drive is connected to the system, the UserAssist registry entry is updated and records execution of a ROT13-ciphered value referencing a .lnk file when deciphered. In the example below, q:\erpbirel.yax deciphers to d:\recovery.lnk.”

raspberry robin

The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.

Then msiexec.exe launches a legitimate Windows utility, fodhelper.exe, which in turn run rundll32.exe to execute a malicious command. Experts pointed out that processes launched by fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt.

According to the researchers, looking for fodhelper.exe as a parent process it is possible to detect the threat.

Last week, Microsoft confirmed that the threat was discovered on the networks of multiple customers, including organizations in the technology and manufacturing sectors.

Now Cybereason researchers reported multiple infections in Europe, the experts investigated a series of recent infections also associated with the name “LNK Worm.”

The attacks monitored by the researchers are leveraging compromised QNAP (Network Attached Storage or NAS) devices as C2.

Below is the infection chain associated with the ongoing Raspberry Robin campaign observed by Cybereason.

The GSOC team summarizes a Raspberry Robin infection as follows :

  • The Raspberry Robin-related infections start from two files present in the same directory hosted on an external device or shared drive: 
    • a “LNK” file that contains a Windows shell command 
    • another file that acts as a “BAT” file, filled with padding data and two specific commands
  • Raspberry Robin leverages the LOLBin called “msiexec.exe” to download and execute a malicious shared library (DLL) from a compromised NAS device from the vendor “QNAP”.
  • To make it harder to detect, Raspberry Robin:
    • leverages process injections in three legitimate Windows system processes
    • communicates with the rest of Raspberry Robin’s infrastructure through Tor (The Onion Router) Exit nodes 
  • To persist on the infected system, Raspberry Robin uses a registry key to automatically load a malicious module through the Windows binary “rundll32.exe”, at the machine startup.
Raspberry Robin infection chain

The malware maintains persistence on the compromised machine through the Windows Registry, it loads the “rundll32.exe” at the startup.

The campaign monitored by Cybereason dates back to September 2021, at this time the company has yet to attribute it to a specific threat actor and its goal is still a mystery.

Below are the recommendations provided by Cybereason:

  • Block outgoing connections (outside of the organization) to TOR-related addresses, as Raspberry Robin actively communicates with TOR exit nodes.
  • As Raspberry Robin displays persistence mechanisms and establishes many masquerading actions on the infected system, re-image infected devices.
  • Threat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom hunting queries for detecting specific threats – to find out more about threat hunting and Managed Detection and Response with the Cybereason Defense Platform, contact a Cybereason Defender here.
    • For Cybereason customers: More details available on the NEST including custom threat hunting queries for detecting this threat:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment