Raspberry Robin Worm Discovered in Networks of Hundreds of Organizations

Microsoft experts report that the recently discovered Raspberry Robin worm has been found in the networks of hundreds of organizations from various industries.

Although Microsoft has observed how the malware binds to addresses on the Tor network, the targets of the attackers are still unknown, since they have not yet taken advantage of access to the networks of their victims.

Let me remind you that we also wrote that Beta Version of Raccoon Stealer 2.0 Malware with Improved Features Is Available for Purchase.

Let me remind you that the first Raspberry Robin malware was noticed by analysts from Red Canary. In the spring this year, it became known that the malware has the capabilities of a worm, spreads using USB drives, and has been active since at least September 2021.

Security company Sekoia even observed how malware used Qnap NAS devices as control servers back in November last year. Now Microsoft said it has found artifacts related to this worm dating back to 2019.

In general, Microsoft’s findings are similar to those of Red Canary experts, who also found the worm in the networks of several clients, some of whom worked in the technology and manufacturing sectors.

Interestingly, researchers previously acknowledged that they were unable to figure out exactly how and where Raspberry Robin infects external devices. The fact is that the malware spreads when an infected USB drive containing a malicious .LNK file is connected to the machine. The worm then launches a new process on the system, using cmd.exe to launch a malicious file stored on the infected device.

Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.analysts write.

Worm Raspberry Robin

It is assumed that the infection generally occurs offline. Also in the spring, another important question remained unanswered: what is the ultimate goal of the Raspberry Robin operators?

Unfortunately, Microsoft doesn’t have the answers either. Although the malware binds to addresses in the Tor network, the attackers have not yet taken advantage of the access they gained to the networks of their victims. Although hackers could easily develop their attacks, especially considering that Raspberry Robin is able to bypass User Account Control (UAC) on infected systems using legitimate Windows tools.

While the hackers remain inactive for the time being, Microsoft has flagged this campaign as high-risk, given that attackers can download and deploy additional malware on victim networks at any time and elevate their privileges.

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.