Cybersecurity experts have found a new Windows malware that has worm-like abilities and can be spread by removable USB devices.
Attributing the malware to a cluster named “Raspberry Robin,” Red Canary researchers noted that the worm “leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. “
The earliest signs of the activity are said to date back to September 2021, with infections observed in organizations with ties to technology and manufacturing sectors.
Attack chain pertaining to Raspberry Robin starts with connecting infected USB drives to Windows machines. Present within the device is the worm payload, which appears as a .LNK shortcut file to a legitimate folder.
The worm starts by spawning cmd.exe, which executes a malignant file on an external drive.
This is followed by launching explorer.exe and msiexec.exe, the latter of which is used for external network communication to a rogue domain for command-and-control (C2) purposes and to download and install a DLL library file.
The malicious DLL is subsequently loaded and executed using a chain of legitimate Windows utilities such as fodhelper.exe, rundll32.exe to rundll32.exe, and odbcconf.exe, effectively bypassing User Account Control (UAC).
Also common across Raspberry Robin detections so far is the presence of outbound C2 contact involving the processes regsvr32.exe, rundll32.exe, and dllhost.exe to IP addresses associated with Tor nodes.
Despite this, operators still have questions. It’s also unclear how and where the external drives are infected, although it’s suspected that it’s carried out offline.
“We also don’t know why Raspberry Robin installs a malicious DLL,” the researchers said. “One hypothesis is that it may be an attempt to establish persistence on an infected system. “