Analysts from Red Canary have discovered a new malware for Windows called Raspberry Robin, which has the properties of a worm and spreads via USB drives.
The researchers write that they found malware in the networks of several of their clients, among which were unnamed companies from the technology and manufacturing sectors. Let me remind you that we also wrote that New Bumblebee Malware Downloader Became a Replacement for BazarLoader for Hackers. It soon became clear that Raspberry Robin spreads when an infected USB drive containing a malicious .LNK file is connected to the machine. The worm then launches a new process on the system, using cmd.exe to launch a malicious file stored on the infected device.
“Raspberry Robin” is Red Canary’s name for a cluster of activity we first observed in September 2021 involving a worm that is often installed via USB drive. This activity cluster relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices, using HTTP requests that contain a victim’s user and device names.Red Canary specialist said.
While [usually] msiexec.exe downloads and runs legitimate installation packages, attackers use it to deliver malware. Raspberry Robin uses msiexec.exe to connect to a malicious domain from an external network.the experts explain.
The Raspberry Robin runs the DLL using two other legitimate Windows utilities: fodhelper and odbcconf. The first allows to bypass User Account Control (UAC), while the second helps to execute and configure the DLL. At the same time, the researchers admit that they have not yet been able to figure out how and where Raspberry Robin infects external devices. It is assumed that this generally happens offline. Also, another important question remains unanswered: what is the ultimate goal of Raspberry Robin operators?