The U.S. State Department has announced rewards of up to $10 million for any information leading to the identification of key individuals who are part of the infamous Conti cybercrime gang.
Additionally, it's offering another $5 million for intelligence information that could help arrest or convict individuals who are conspiring or attempting to affiliate with the group in a ransomware attack.

The U.S. State Department has announced rewards of up to $10 million for any information leading to the identification of key individuals who are part of the infamous Conti cybercrime gang.

Additionally, it's offering another $5 million for intelligence information that could help arrest or convict individuals who are conspiring or attempting to affiliate with the group in a ransomware attack.

The department called the Conti variant the "costliest strain of ransomware ever documented."

Conti, the work of a Russia-based transnational organized crime group dubbed Gold Ulrick, is one most prolific ransomware cartels that has continued to strike entities globally while simultaneously expanding its empire by absorbing TrickBot and running side hustles that involve data extortion.

After the syndicate expressed public support for Russia's invasion of Ukraine in February, it suffered a major breach of its own after its source code and internal chats were released on the public domain. But the leaks have done precious little to slow it down.

According to the State Department, Conti is said to have victimized more than 1,000 organizations as of January 2022, with victim payouts surpassing $150 million. Last month, the group claimed credit for an attack on Costa Rica's government networks.

This is not the first time the U.S. government has offered bounties as part of its efforts to "disrupt and dismantle transnational organized crime globally, including cybercrime" and protect "potential ransomware victims around the world from exploitation by cyber criminals."

In November 2021, it offered similar monetary rewards for locating criminal parties associated with DarkSide and REvil ransomware, which were used in high-profile attacks on Colonial Pipeline and Kaseya last year.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Offering $10 Million Reward for Information on Conti Ransomware Hackers

Plus: Russia rerouted internet in occupied Ukraine, Grindr sold its users' location data to ad networks, and more.

If the war in Ukraine and Russia's still-unfolding atrocities there didn't offer enough fodder for doomscrolling, this week supplied a new dose of domestic crisis: A leaked Supreme Court draft decision that would overturn _Roe v. Wade_, demolishing a ruling that has served as a cornerstone of reproductive rights for nearly five decades. And this crisis, too, will play out in the digital realm as much as the physical and legal ones.

WIRED's Lily Hay Newman responded to the news with a guide to protecting your privacy if you're seeking an abortion in a near-future world in which _Roe_ has in fact been overturned. As right-wing pundits demand the Supreme Court leaker's prosecution, meanwhile, we analyzed the laws concerning leaks of unclassified government information like a draft court ruling and found that there's no clear statute criminalizing that sort of information sharing. And law professor Amy Gajda walked us through the history of Supreme Court information leaks, which stretches back hundreds of years.

As Russia's war in Ukraine grinds on, we looked at how small, consumer-grade drones are offering a defensive tool to Ukrainians that they're exploiting as in no other war in history. And further abroad in India, a battle is taking shape between VPN firms and the Indian government, which is demanding they hand over users' data. Meanwhile, the country's new “super app,” Tata Neu, has sparked user privacy concerns.

And there's more. As we do every week, we’ve rounded up all the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there.

If _Roe_'s precedent ceases to protect people seeking abortions across the United States, the question of who can digitally surveil those seeking abortions and abortion providers—and how to evade that surveillance—will become a civil liberties battle of the highest urgency. This week, Motherboard's Joseph Cox fired the opening salvos of that battle with a series of stories about data brokers who offer to sell location data that include individuals' visits to abortion clinics and Planned Parenthood offices, an egregious form of surveillance capitalism with immediate human consequences. Anti-abortion protest groups have already used abortion clinic data to target ads at women inside the clinics, and the same data could soon be used to identify women who seek out-of-state abortions in violation of local laws.

Cox pointed to two companies, SafeGraph and Placer.ai, both of which sold location data of those apparently visiting abortion clinics. Placer.ai has gone so far as to offer "heat maps" of where abortion clinic visitors live to anyone who creates a free account on its site. Cox's reporting had quick results: SafeGraph, which was banned from the Google Play store in June, responded to Motherboard's story by committing to stop selling the abortion-related location data. One of its investors, Are Traasdahl, says he's selling his stake in the company and donating the money to Planned Parenthood.

Your move, Placer.ai.

While we're shaming firms that leak or sell their users' location data, Grindr has long represented a uniquely dangerous combination: a company that courts at-risk users, and then egregiously fails to protect their privacy. This week, _The Wall Street Journal_ revealed that Grindr users' location data was sold for years—beginning in 2017 until at least two years ago—via ad networks, potentially exposing the movements, work locations, and home addresses of millions of gay men. The revelation follows years of Grindr data abuses and inattention to privacy and security, such as allowing anyone to pinpoint users with a triangulation technique, and even turning a blind eye as one man's life was ruined by spoofed Grindr accounts.

In 2022 a Russian military occupation doesn't merely mean physical devastation from shelling, unspeakable war crimes, and mass deportations of Ukrainian civilians to Russian hinterlands. In the Russian-occupied region of Kherson in southern Ukraine, it now means that Ukrainians have been disconnected from the global internet and rerouted through Russia's tightly controlled, surveilled, and censored “Runet.” The move, confirmed Monday by the internet monitoring firm Netblocks, represents a grim advancement of the “splinternet” notion of repressive regimes increasingly walling off their own regional slice of the internet to exert greater control over their populations. Russia now appears to be experimenting with extending its internet repression to the victims of its unprovoked military conquests in a bid to better control and influence digital information there too.

Last month, _The New Yorker_ published an in-depth investigation of how the Israeli hacking firm NSO Group's highly sophisticated smartphone spyware known as Pegasus was used to target members of Spain's Catalan independence movement. Now, Spain's government may be getting a taste of its own medicine: Both the prime minister, Pedro Sánchez, and the country's defense minister, Margarita Robles, have said that their phones, too, were hacked with Pegasus in May and June of 2021. Spain's criminal court is investigating the hacking, which was revealed by security researchers at Citizen Lab. While the Spanish government has claimed that the hacking must have been carried out by a foreign culprit, the Catalan targets of Pegasus have long pointed the finger—for their own targeting at least—at Spain's National Intelligence Center.

The US Treasury announced Friday that it's issuing sanctions against Blender.io, a “mixing” service that's used to obscure the origins and destinations of cryptocurrency. Mixers, including Bitcoin Fog and Helix, have been criminally prosecuted by the US Department of Justice for helping to obscure the criminal origins of cryptocurrency. But the sanctions against Blender.io represent the first time that the Treasury has taken measures to financially ostracize a mixer, making it a crime for any American to transact with the service. In this case, Blender is accused of helping to launder $20.5 million of the $620 million worth of cryptocurrency that North Korea's Lazarus hackers allegedly stole from the cryptocurrency firm Ronin Networks in March. That hack alone suggests that North Korean thieves have already topped the estimated $400 million in crypto—largely in the Ethereum currency—that they stole last year.

Data Brokers Track Abortion Clinic Visits for Anyone to Buy

If you don’t like marketers (or anyone else) knowing when and where you read your email, Apple’s feature will help you reclaim some privacy.

Nothing makes you more paranoid about privacy than working in a marketing department. Trust me on this. For example, did you know that marketers track every time you open an email newsletter—and where you were when you did it?

Apple caused a small panic among marketers in September 2021 by effectively making this tracking impossible in the default Mail app on iPhone, iPad, and Mac. I, personally, switched to Apple Mail as soon as the feature was announced. You might feel the same way, but marketers feel as though they've lost a useful tool.

"If I start a conversation with somebody and they're not responding to me, I'm going to stop talking to them at some point," says Simon Poulton, vice president of digital intelligence at marketing agency Wpromote. "But if someone is nodding along, I'm going to keep talking."

Tracking email opens, to Poulton, is a way for marketers to see who is, and isn't, listening—and adjust their strategy accordingly.

Privacy advocates feel differently. Bill Budington, senior staff technologist at the Electronic Frontier Foundation, says tracking is bad for privacy, and he's pleased that “Apple Mail now provides tools to take your privacy back.”

Let’s talk more about what, exactly, this feature does—and what it means for you.

How Email Tracking Works (and How Apple Blocks It)

If you're really freaking old—36, say—you might recall some ’90s email clients couldn't open certain emails with formatting. You'd instead be prompted to open the email in your web browser. There's a reason for this.

Email dates back to the ’70s, when computers couldn't display much in the way of graphics. Because of this, email protocols are more or less designed for simple text messages with attachments—which works until you want to add things like colors and images. By the ’90s, a workaround showed up: adding HTML code to an email message that points to images hosted on servers.

I bring this history up only because it's what makes modern email tracking possible. Most email newsletters you get include an invisible “image,” typically a single white pixel, with a unique file name. The server keeps track of every time this “image” is opened and by which IP address. This quirk of internet history means that marketers can track exactly when you open an email and your IP address, which can be used to roughly work out your location.

So, how does Apple Mail stop this? By caching. Apple Mail downloads all images for all emails before you open them. Practically speaking, that means every message downloaded to Apple Mail is marked “read,” regardless of whether you open it. Apples also routes the download through two different proxies, meaning your precise location also can't be tracked.

Apple’s Been Adding Features Like This for a While

So did this catch marketers off guard? Kind of.

“The Apple Mail thing specifically kind of came out of left field,” Poulton tells me, “but the whole idea of the de-identification of users is something we've been planning on for a while. This is a multipronged attack from Apple.”

Apple Mail Now Blocks Email Tracking. Here’s What That Means

The U.S. Treasury Department on Friday moved to sanction virtual currency mixer Blender.io, marking the first time a mixing service has been subjected to economic blockades.
The move signals continued efforts on the part of the government to prevent North Korea's Lazarus Group from laundering the funds stolen from the unprecedented hack of Ronin Bridge in late March.
The newly imposed sanctions,

The U.S. Treasury Department on Friday moved to sanction virtual currency mixer Blender.io, marking the first time a mixing service has been subjected to economic blockades.

The move signals continued efforts on the part of the government to prevent North Korea's Lazarus Group from laundering the funds stolen from the unprecedented hack of Ronin Bridge in late March.

The newly imposed sanctions, issued by the U.S. Office of Foreign Assets Control (OFAC), target 45 Bitcoin addresses linked to Blender.io and four new wallets linked to Lazarus Group, an advanced persistent with ties to the Democratic People's Republic of Korea (DPRK).

"Blender was used in processing over $20.5 million of the illicit proceeds," the Treasury said, adding it was utilized by DPRK to "support its malicious cyber activities and money-laundering of stolen virtual currency."

Cryptocurrency mixers, also called tumblers, are privacy-focused services that allow users to move cryptocurrency assets between accounts without leaving a transaction trail by obfuscating their origins.

Mixers like Blender are known to take a "dynamic" service fee that ranges anywhere between 0.6% and 2.5% every time money is transferred to a wallet address under its control. Since its launch in 2017, Blender is estimated to have transferred more than $500 million worth of Bitcoin.

"Through these services, threat actors can achieve their end goal of cashing out and keeping the criminal underground liquid through the trade of illicit goods and services," Intel 471 noted in a report published in November 2021.

The Ronin Bridge hack saw the state-sponsored cyber hacking group stealing $540 million from a decentralized protocol that permits users to transfer their crypto between Ethereum and the popular blockchain game Axie Infinity.

On April 16, the Treasury Department blocklisted the Ethereum wallet address that received the stolen digital currency, although by then the Lazarus Group had managed to launder 18% of the siphoned funds (about $97 million) through centralized exchanges and an Ethereum mixing service called Tornado Cash.

Over the past two weeks, around $273.9 million of Ether was sent to four of the newly-sanctioned addresses, according to blockchain analytics firm Elliptic, with one of those addresses already moving $37 million through Tornado Cash, leaving behind $236 million.

"The transactions involved amounts significantly larger than their previous laundering efforts," the company said. "The ramping up of laundering efforts in this manner potentially reflects a growing desperation by the hackers."

Furthermore, the sanctioning of Blender is evidence that the "Lazarus Group had moved some of the stolen funds into Bitcoin," Elliptic pointed out.

On top of that, Blender is also said to have helped a number of the Russia-aligned ransomware gangs launder their money, including TrickBot, Conti (formerly Ryuk), Sodinokibi (aka REvil), and Gandcrab.

In the midst of all this, crypto exchange Binance on April 22 revealed that it had managed to recover $5.8 million worth of the Axie Infinity stolen funds that were spread across 86 accounts.

The development comes a month after the Treasury sanctioned virtual currency exchange Garantex for assisting criminal actors in laundering over $100 million in ill-gotten funds.

Last year, the department penalized two cryptocurrency exchanges SUEX and CHATEX for facilitating financial transactions for ransomware actors and cashing out the money extorted from victims.

In recent years, North Korea has been attached to a string of cyber-enabled heists from cryptocurrency exchanges and financial entities as a way of getting around international sanctions and generating revenue for its nuclear weapons program.

Last month, U.S. cybersecurity and intelligence agencies warned of a new set of cyberattacks carried out by the Lazarus Group targeting blockchain companies with rogue cryptocurrency apps.

"Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests," said Brian E. Nelson, undersecretary of the Treasury for Terrorism and Financial Intelligence.

"We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Sanctions Cryptocurrency Mixer Blender for Helping North Korea Launder Millions

In the next 10 years, public-key encryption needs to be replaced by post-quantum techniques that can stand up to the new challenges.

Within a decade, the growth of powerful quantum computers will lead to a new era in security, in which once-impenetrable public-key techniques like RSA and ECC will fall to higher levels of brute force. Such techniques need to be replaced by post-quantum cryptography that can stand up to the new challenges.

That's according to an intelligence brief from research company PreScouter. The brief, titled "Quantum Computing and Cybersecurity: Preparing for Post-Quantum Cryptography," says the global quantum computing market will grow from $472 million in 2021 to $1.765 billion by 2026. As the technology spreads from research labs to the cloud, the likelihood of it getting used to defeat current encryption methods rises to near certainty. Indeed, the Biden administration just issued two directives to prepare US government and businesses against future quantum cyberattacks.

"Hackers are currently unlikely to have the resources to develop quantum computing systems," the PreScouter brief states. "However, the emergence of general-purpose quantum computing will be available in the cloud as an infrastructure platform like a service, making it affordable for a wide range of users with current technological capabilities." IBM added its Quantum Cloud service back in 2017, and today users can rent time on a quantum computer from more than a dozen vendors, including Azure and AWS.

Numerous groups have been working on post-quantum cryptography for years, including European Telecommunication Standards Institute (ETSI), the European Union Agency for Cybersecurity (ENISA), and the International Organization for Standardization (ISO). In the US, NIST initiated its post-quantum work back in 2016. This foresight is necessary, PreScouter says, because replacing encryption algorithms requires many steps, so the sooner we get started, the better.

The brief notes that while hackers might not be breaking into OT systems and medical devices by 2030, we need to have post-quantum cryptography implemented by then to stave off such attacks. Algorithmic approaches to post-quantum cryptography include lattice-based, hash-based, isogeny-based, multivariate, and code-based systems.

Download the brief in full from PreScouter.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Post-Quantum Cryptography Set to Replace RSA, ECC

The attack may have been "a major wake-up call" about the need for greater resilience in IT environments, but have security teams hit the snooze bar one too many times?

Cybersecurity experts have warned about vulnerabilities within the critical infrastructure for years. It came to fruition in May 2021, when Colonial Pipeline was hit with a ransomware attack. The response, of course, was the company temporarily shut down oil and gasoline delivery, which resulted in major panic and shortages all over the East Coast.

"The Colonial Pipeline attack was a major wake-up call to improve cyber defenses for critical infrastructure," says Tom Badders, senior product manager at Telos. "The attack vector for ransomware has typically been targeted to information technology networks. This was the first major attack on an operational technology network."

The attack brought much-needed attention to risks to the critical infrastructure and how something as simple as a stolen password can create a national nightmare. The immediate response was to come up with ways to prevent a similar attack (and there has not been one as of yet), but over the past year, have we really learned any lessons from Colonial Pipeline? Has anything changed in the way we think about protecting our systems, particularly critical infrastructure?

**Wake-Up Call  
**The Colonial Pipeline attack offered everyone, from government officials to ordinary citizens, a glimpse into what could happen and why it is vital to have a good security team with a solid mitigation plan in place, says Willy Leichter, CMO at LogicHub.  

"In terms of wake-up calls, the Colonial Pipeline cyberattack was a good jolt of caffeine to the country," he says. "The Colonial security teams acted quickly, cautiously, and probably correctly to shut down the pipeline, although it took six days to get it back online."

But then the country hit the snooze button.

"Unfortunately, I think very little has changed," says Den Jones, CSO at Banyan Security.

Many companies still operate under the "it won't happen to me" assumption, Jones points out, and smaller organizations don't have the resources in place — or don't think they need them — to address a major cyber incident. When organizations do have security teams in place, they are spread thin.

"And perhaps worst of all," Jones adds, "organizations of all shapes and sizes haven't dramatically improved their basic security hygiene. This includes having sound, repeatable, audible processes for keeping systems patched and up to date, directory systems current, and making use of important tools like MFA. Remember, having a process doesn't mean it has to be complicated."

**Some Progress Made  
**Little change isn't the same as no change, however. There have been signs of progress in the wake of the Colonial Pipeline attack.

"Government agencies have been more active in issuing security recommendations and creating much stricter rules about breach notification," says Leichter. Days after the ransomware attack was revealed, for example, the White House released an executive order requiring improvements to federal cybersecurity efforts. At the state level, more than 250 bills were introduced that deal directly with improving cybersecurity both overall and to directly protect government entities.

In addition, operational technology security services demand has doubled since Colonial Pipeline, according to Darren Van Booven, cyber advisory practice lead at Trustwave. The increase, he says, "has mostly been driven from the board and C-level as a direct response to Colonial Pipeline. Organization leaders are calling for security system audits and assessments, ransomware protection strategies, and detection and response capabilities for advanced threats, such as cybergangs."

Another positive to come from the Colonial Pipeline attack was the public/private partnership to get the pipeline back into operational mode quickly. That effort has continued to see positive steps forward with the Biden administration's prioritization of such cooperation, codified by the Cybersecurity and Infrastructure Security Agency (CISA) when it launched the Joint Cyber Defense Collective to coordinate government and industry response to cyberattacks.

"Eighty-five percent of the nation's critical infrastructure is managed by the private sector," says Telos' Badders. "These organizations need the support of the US government to defend the country's vital infrastructure."

**The Bad Guys Are Learning, Too  
**One of the greatest challenges facing cybersecurity teams is the knowledge that threat actors have access to the same technologies and intelligence that they do.

"The Colonial Pipeline ransomware attack exposed weaknesses in the US's critical infrastructure," says Jason Rebholz, CISO at Corvus Insurance. "For nation-states such as Russia, it served as a case study on how a single cyberattack can cause devastating impacts and incite chaos. The significance of that knowledge, given the current geopolitical environment, is cause for concern."

The bad guys may also be learning another lesson: targeting US critical infrastructure was too risky. 

"Following the Colonial Pipeline attack, the DarkSide ransomware infrastructure was shut down and a portion of the ransom payment paid in Bitcoin was actually recovered," Rebholz explains. "Ransomware actors saw that they could not operate without repercussions — a clear line in the sand had been drawn."

**Where Do We Go From Here?  
**Colonial Pipeline's ransomware attack highlights the need for greater resilience in IT environments. "Security is no longer about only keeping the bad actors out but must include building a malleable environment that can withstand attacks," says Rebholz.

Moving forward in a post-Colonial Pipeline cyber environment, organizations are making adjustments. Cyber insurance carriers, for example, have implemented mandatory controls including, but not limited to, network segmentation and robust backup solutions, resulting in the number of ransomware claims requiring a ransom payment decreasing. And the concept of zero trust, with the US government's endorsement, is getting more attention as a security approach.

"This attack showed that perimeter security can be defeated with a single password," says LogicHub's Leichter. "We must have defense-in-depth that understands context \[and\] assumes that threats can come from anywhere, and security systems \[that\] have the ability to detect and respond to new attacks at any stage."

What We've Learned in the 12 Months Since the Colonial Pipeline Attack

An operational slip-up led security researchers to an attacker associated with Nigerian letter scams and malware distribution, after he infected himself with Agent Tesla.

In what can only be described as a case of karmic irony, a Nigerian scammer responsible for stealing more than 800,000 credentials from some 28,000 victims over the past several years recently infected his own machine with info-stealing malware that resulted in his identity being exposed.

Researchers from Malwarebytes got on his trail when they identified a group they track as "Nigerian Tesla" among numerous threat actors targeting Ukrainian entities. Malwarebytes had tracked the group for years initially while it was engaged in a string of so-called 419 advance fee fraud (aka Nigerian letter scams), where victims receive emails promising them a generous commission for facilitating a money transfer involving a large sum.

Over the past two years, Malwarebytes researchers had observed the threat actor switching from 419 scams to distributing Agent Tesla, a widely used remote-access Trojan (RAT) for stealing personal data from infected systems.

Malwarebytes recently identified Nigerian Tesla attempting to distribute the malware via an email with a subject header titled "Final Payment" in Ukrainian. Recipients who clicked on the link in the email were directed to a file-sharing site, which then downloaded the Agent Tesla binary to the user's system.

The attack chain involved the command-and-control server (C2) sending a message to Agent Tesla on infected systems, designed to confirm that the malware had been properly configured for remote communication. In examining the campaign, researchers detected an oddity — multiple messages containing the text "Test successful" coming from the attacker's own machine. There's only one logical conclusion: The attacker had somehow managed to self-inflict Agent Tesla malware.

A member of Malwarebytes' threat intelligence team tells Dark Reading that the threat actor made several mistakes: "The biggest one was to infect his own computer with the Agent Tesla stealer," he says. "By doing so, all the credentials from their machine, stored in common applications such as browsers, were collected and exfiltrated. In a sense, they became just another victim, but in this case of their own malware."

An examination of the test emails exposed the attacker's IP address, which then led the researchers down a path that ultimately revealed to them the attacker's real identity, address, photos, and a copy of his Nigerian driver's license.

**A Trail of Bread Crumbs**  
One of the first things Malwarebytes discovered when investigating the threat actor's IP address was that he had sent more than two dozen additional emails from the same IP address. The researchers were unable to figure how the attacker had managed to infect his own system. But the emails revealed several other services that the threat actor used as part of his attack infrastructure.

These included a service that could be used as a source for victim emails, another for extracting emails from compromised systems, file hosting and storage services, virtual private servers, and VPN and DNS services. The researchers also discovered several assumed names that the Nigerian Tesla group used in past email scams, along with numerous email accounts that were used in phishing scams and data theft campaigns.

An investigation of the emails and the personae associated with them showed that the Nigerian Tesla group had been engaged in criminal cyber activities going back to at least 2014. At that time the group was primarily engaged in 419 scams involving emails from fictitious people going by names such as Rita Bent, Lee Chen, and John Cooper. Malwarebytes found the threat making a switch to malware distribution in 2020, and identified the tools the attacker used to obfuscate their binaries and to test whether they could be detected.

During their investigation Malwarebytes researchers found a couple of photos of the individual that appeared to have started the operation, as well as the Agent Tesla-infected person's driver's license. Malwarebytes identified the individual only as "E.K" and as someone born in 1985.

Scammer Infects His Own Machine With Spyware, Reveals True Identity

By Deeba Ahmed
The malware Raspberry Robin is distributed via external drives and uses Microsoft Standard installer to execute malicious commands.…
This is a post from HackRead.com Read the original post: USB-based Wormable Raspberry Robin Malware Targeting Windows Installer

The malware Raspberry Robin is distributed via external drives and uses Microsoft Standard installer to execute malicious commands.

Red Canary’s Detection Engineering team has discovered a new worm-like Windows malware being distributed via removable USB drives. The malware was detected in several customer networks, mainly in the manufacturing and technology sectors.

**About Raspberry Robin**

Red Canary intelligence analysts attributed the malware to the Raspberry Robin cluster, noting that the worm leverages “Windows Installer” to access QNAP-linked domains and download a malicious DLL.

Raspberry Robin’s activity was first documented in September 2021. The operator’s objective is unclear, and researchers are also clueless about when and how the external drives get infected. They suspect that this infection occurs offline.

**Attack Chain Details**

> Raspberry Robin’s attack chain starts with connecting an infected external/USB drive to a Windows device. Researchers noted that adversaries use msiexec.exe to deliver malware while “Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.
> 
> Lauren Podber and Stef Rand  
> Red Canary

The external drive is equipped with the worm payload that appears as a .LNK shortcut file in a legit folder. The worm creates a new process using cmd.exe to read/execute the malicious file on the USB drive.

According to Red Canary’s blog post, once this is done, the worm launches explorer.exe and msiexec.exe. The latter is used to establish network communication with a rogue domain and for downloading/installing the DLL library file.

Raspberry Robin event outline (Red Canary)

This DLL file is loaded and executed using legitimate Windows utilities like rundll32.exe, fodhelper.exe, and odbcconf.exe to bypass the UAC (User Account Control). Researchers also detected an outbound C2 contact involving regsvr32.exe, dllhost.exe, and rundll32.exe processes to IP addresses linked with Tor nodes.

Regarding why the worm installs a malicious DLL, the researchers were unclear. They hypothesized that it could be done to maintain persistence on the infected machine.

**More Windows Malware News**

1.  Beware of Fake Windows 11 Update Delivering Malware
2.  LodaRAT Windows malware now hunting Android devices
3.  New malware tool can steal files from air-gapped PCs using USBs
4.  PyMICROPSIA Windows malware steals browsing data, records audio
5.  Fake Windows website dropped Redline malware as Windows 11 upgrade

USB-based Wormable Raspberry Robin Malware Targeting Windows Installer

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 29 and May 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for April 29 to May 6

Activity dubbed ‘Raspberry Robin’ uses Microsoft Standard Installer and other legitimate processes to communicate with threat actors and execute nefarious commands.

Activity dubbed ‘Raspberry Robin’ uses Microsoft Standard Installer and other legitimate processes to communicate with threat actors and execute nefarious commands.

Credit: Red Canary

Wormable malware dubbed Raspberry Robin has been active since last September and  is wriggling its way through USB drives onto Windows machines to use Microsoft Standard Installer and other legitimate processes to install malicious files, researchers have found.

Researchers at Red Canary Intelligence first began tracking the malicious activity in the fall when it began as a handful of detections with similar characteristics first observed in multiple customers’ environments by Jason Killam from Red Canary’s Detection Engineering team.

Once the worm spreads via a USB drive to someone’s machine, the activity relies on msiexec.exe to call out to its infrastructure–which is often comprised of QNAP devices–using HTTP requests that contain a victim’s user and device names, Red Canary’s Lauren Podber and Stef Rand wrote in a blog post published Thursday.

Researchers also observed Raspberry Robin use TOR exit nodes as additional command and control (C&C) infrastructure, they wrote. Eventually the worm installs malicious dynamic link library (DLL) files found on the infected USB.

While researchers first noticed Raspberry Robin as early as September 2021, most of the activity observed by Red Canary occurred during January of this year, researchers said.

****Unanswered Questions****

Though researchers observed various processes and executions by the malicious activity, they acknowledged that these observations have left a number of unanswered questions.

The team has not yet figured out how or where Raspberry Robin infects external drives to perpetuate its activity, though it’s likely this infection occurs offline or “otherwise outside of our visibility,” researchers said.

They also don’t know why Raspberry Robin installs a malicious DLL, although they believe it may be to  attempt to establish persistence on an infected system–though there is not enough evidence to make this conclusive, researchers acknowledged.

However, the biggest question mark surrounding the worm is the objective of the threat actors behind it, researchers said.

“Absent additional information on later-stage activity, it’s difficult to make inferences on the goal or goals of these campaigns,” they acknowledged.

****Initial Access and Execution****

Infected removable drives—typically USB devices—introduce the Raspberry Robin worm as a shortcut LNK file masquerading as a legitimate folder on the infected USB device, researchers said. LNK files are Windows shortcuts that point to and are used to open another file, folder, or application.

Soon after the infected drive is connected to the system, the worm updates the UserAssist registry entry and records execution of a ROT13-ciphered value referencing a LNK file when deciphered. For example, researchers observed the value q:\\erpbirel.yax being deciphered to d:\\recovery.lnk, they wrote.

Execution commences when Raspberry Robin uses cmd.exe to read and execute a file stored on the infected external drive, researchers said.

“The command is consistent across Raspberry Robin detections we have seen so far, making it reliable early evidence of potential \[worm\] activity,” they noted.

In the next phase of execution, cmd.exe typically launches explorer.exe and msiexec.exe. The former’s command line can be a mixed-case reference to an external device–a person’s name, like LAUREN V; or the name of the LNK file, researchers said.

The worm “also extensively uses mixed-case letters in its commands,” most likely to avoid detection, researchers added.

****Secondary Execution****

Raspberry Robin uses the second executable launched, msiexec.exe , to attempt external network communication to a malicious domain for command and control purposes, researchers revealed.

In several examples of the activity that researchers have observed, the worm has used msiexec.exe to install a malicious DLL file although, as mentioned before, they still aren’t certain what the purpose of the DLL is.

The worm also uses msiexec.exe to launch a legitimate Windows utility, fodhelper.exe, which in turn spawns rundll32.exe to execute a malicious command, they observed.

“Processes launched by fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt,” researchers noted. As this is unusual behavior for the utility, this activity can be used to detect the presence of Raspberry Robin on an infected machine, they said.

The rundll32.exe command then starts another legitimate Windows utility– odbcconf.exe–and passes in additional commands to execute and configure the recently-installed malicious DLL file, researchers said.

Tag

#intel