Security
Headlines
HeadlinesLatestCVEs

Headline

USB-based Wormable Raspberry Robin Malware Targeting Windows Installer

By Deeba Ahmed The malware Raspberry Robin is distributed via external drives and uses Microsoft Standard installer to execute malicious commands.… This is a post from HackRead.com Read the original post: USB-based Wormable Raspberry Robin Malware Targeting Windows Installer

HackRead
#web#android#mac#windows#microsoft#git#intel

The malware Raspberry Robin is distributed via external drives and uses Microsoft Standard installer to execute malicious commands.

Red Canary’s Detection Engineering team has discovered a new worm-like Windows malware being distributed via removable USB drives. The malware was detected in several customer networks, mainly in the manufacturing and technology sectors.

About Raspberry Robin

Red Canary intelligence analysts attributed the malware to the Raspberry Robin cluster, noting that the worm leverages “Windows Installer” to access QNAP-linked domains and download a malicious DLL.

Raspberry Robin’s activity was first documented in September 2021. The operator’s objective is unclear, and researchers are also clueless about when and how the external drives get infected. They suspect that this infection occurs offline.

Attack Chain Details

Raspberry Robin’s attack chain starts with connecting an infected external/USB drive to a Windows device. Researchers noted that adversaries use msiexec.exe to deliver malware while “Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.

Lauren Podber and Stef Rand
Red Canary

The external drive is equipped with the worm payload that appears as a .LNK shortcut file in a legit folder. The worm creates a new process using cmd.exe to read/execute the malicious file on the USB drive.

According to Red Canary’s blog post, once this is done, the worm launches explorer.exe and msiexec.exe. The latter is used to establish network communication with a rogue domain and for downloading/installing the DLL library file.

Raspberry Robin event outline (Red Canary)

This DLL file is loaded and executed using legitimate Windows utilities like rundll32.exe, fodhelper.exe, and odbcconf.exe to bypass the UAC (User Account Control). Researchers also detected an outbound C2 contact involving regsvr32.exe, dllhost.exe, and rundll32.exe processes to IP addresses linked with Tor nodes.

Regarding why the worm installs a malicious DLL, the researchers were unclear. They hypothesized that it could be done to maintain persistence on the infected machine.

More Windows Malware News

  1. Beware of Fake Windows 11 Update Delivering Malware
  2. LodaRAT Windows malware now hunting Android devices
  3. New malware tool can steal files from air-gapped PCs using USBs
  4. PyMICROPSIA Windows malware steals browsing data, records audio
  5. Fake Windows website dropped Redline malware as Windows 11 upgrade

Related news

Researchers Warn of 'Raspberry Robin' Malware Spreading via External Drives

Cybersecurity researchers have discovered a new Windows malware with worm-like capabilities and is propagated by means of removable USB devices. Attributing the malware to a cluster named "Raspberry Robin," Red Canary researchers noted that the worm "leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL." The earliest signs of the activity are said to

HackRead: Latest News

Andrew Tate’s University Breach: 1 Million User Records and Chats Leaked