Red Canary intelligence analysts have discovered a new Windows malware with worm capabilities that spreads using external USB drives.
This malware is linked to a cluster of malicious activity dubbed Raspberry Robin and was first observed in September 2021 (cybersecurity firm Sekoia tracks this malware as “QNAP worm“).
Red Canary’s Detection Engineering team detected the worm in multiple customers’ networks, some in the technology and manufacturing sectors.
Raspberry Robin spreads to new Windows systems when an infected USB drive containing a malicious .LNK file is connected.
Once attached, the worm spawns a new process using cmd.exe to launch a malicious file stored on the infected drive.
Windows legitimate tools abused to install malware
It uses Microsoft Standard Installer (msiexec.exe) to reach out to its command-and-control (C2) servers, likely hosted on compromised QNAP devices and using TOR exit nodes as additional C2 infrastructure.
“While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware,” the researchers said.
“Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.”
While they haven’t yet found if it establishes persistence and through which methods, they suspect that the malware installs a malicious DLL file [1, 2] on compromised machines to resist removal between restarts.
Raspberry Robin launches this DLL with the help of two other legitimate Windows utilities: fodhelper (a trusted binary for managing features in Windows settings) and odbcconf (a tool for configuring ODBC drivers).
The first allows it to bypass User Account Control (UAC), while the second will help execute and configure the DLL.
How and why?
While the Red Canary analysts have been able to closely inspect what the newly discovered does on infected systems, there are still several questions that need to be answered.
“First and foremost, we don’t know how or where Raspberry Robin infects external drives to perpetuate its activity, though it’s likely this occurs offline or otherwise outside of our visibility. We also don’t know why Raspberry Robin installs a malicious DLL,” the researchers said.
“One hypothesis is that it may be an attempt to establish persistence on an infected system, though additional information is required to build confidence in that hypothesis.”
Since there is no info on this malware’s end-stage malicious tasks, another question that needs an answer is what is the Raspberry Robin operators’ goal.
Further technical information on the Raspberry Robin worm, including indicators of compromise (IOCs) and an ATT&CK of this malware, can be found in Red Canary’s report.
Update: Added info on Sekoia tracking it as QNAP worm.