Raspberry Robin Malware Has Worm Features and Abuses Windows Installer

Analysts from Red Canary have discovered a new malware for Windows called Raspberry Robin, which has the properties of a worm and spreads via USB drives.

The researchers write that they found malware in the networks of several of their clients, among which were unnamed companies from the technology and manufacturing sectors.

Let me remind you that we also wrote that New Bumblebee Malware Downloader Became a Replacement for BazarLoader for Hackers.

It soon became clear that Raspberry Robin spreads when an infected USB drive containing a malicious .LNK file is connected to the machine. The worm then launches a new process on the system, using cmd.exe to launch a malicious file stored on the infected device.

“Raspberry Robin” is Red Canary’s name for a cluster of activity we first observed in September 2021 involving a worm that is often installed via USB drive. This activity cluster relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices, using HTTP requests that contain a victim’s user and device names.Red Canary specialist said.

The malware uses the Microsoft Standard Installer (msiexec.exe) to access the command and control servers, and the researchers believe that the C&C servers are hosted on compromised Qnap devices and use Tor exit nodes as additional infrastructure.

While [usually] msiexec.exe downloads and runs legitimate installation packages, attackers use it to deliver malware. Raspberry Robin uses msiexec.exe to connect to a malicious domain from an external network.the experts explain.

While experts aren’t yet sure exactly how the malware takes hold on infected systems, they suspect that it installs malicious DLL files on compromised machines to prevent deletion between reboots.

Raspberry Robin Malware

The Raspberry Robin runs the DLL using two other legitimate Windows utilities: fodhelper and odbcconf. The first allows to bypass User Account Control (UAC), while the second helps to execute and configure the DLL.

At the same time, the researchers admit that they have not yet been able to figure out how and where Raspberry Robin infects external devices. It is assumed that this generally happens offline. Also, another important question remains unanswered: what is the ultimate goal of Raspberry Robin operators?

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.