New Raspberry Robin Bug Spreads Malware Via Windows Installer 

New Raspberry Robin Bug Spreads Malware Via Windows Installer 

A new Windows malware with worm capabilities has been identified by Red Canary intelligence investigators, and it spreads through external USB drives. This malware is tied to malicious activities clustered as Raspberry Robin, which was initially discovered in September 2021. 

Red Canary’s Detection Engineering team discovered the worm in multiple customers’ networks, including some in the manufacturing and technology sectors. Raspberry Robin tends to spread to new Windows systems when a USB drive carrying a malicious .LNK file is attached. The worm launches a new process using cmd.exe to run a malicious file stored on the infected disk after it has been connected. 

It communicates with its command-and-control (C2) servers through Microsoft Standard Installer (msiexec.exe), which are most likely housed on infected QNAP devices and employ TOR exit nodes as supplemental C2 infrastructure. 

“While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware,” said the researchers. “Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.” 

They believe the malware downloads a malicious DLL file [1, 2] on affected workstations to resist eradication between restarts, albeit they haven’t determined how it achieves persistence. This DLL is started by Raspberry Robin using two additional trustworthy Windows utilities: fodhelper (a trusted program for controlling features in Windows settings) and odbcconf (a tool for configuring ODBC drivers). 

The first permits it to get through User Account Control (UAC), while the second assists in the execution and configuration of the DLL. While Red Canary experts have been able to extensively examine what the newly found malware performs on affected systems, some issues remain unanswered. 

“First and foremost, we don’t know how or where Raspberry Robin infects external drives to perpetuate its activity, though it’s likely this occurs offline or otherwise outside of our visibility. We also don’t know why Raspberry Robin installs a malicious DLL,” said the researchers. “One hypothesis is that it may be an attempt to establish persistence on an infected system, though additional information is required to build confidence in that hypothesis.” 

Since the end-stage destructive duties of this virus are unknown, another issue that has to be answered is the Raspberry Robin operators’ purpose. Red Canary’s report contains more technical information on the Raspberry Robin worm, including indicators of compromise (IOCs) and an ATT&CK of this malware. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.