Search This Blog

Microsoft Detects Raspberry Robin Worm in Windows Networks

Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.

According to Microsoft, a recently detected Windows worm has been discovered on the networks of hundreds of firms from numerous industry sectors. 

The malware, called Raspberry Robin, spreads via infected USB devices and was discovered by Red Canary intelligence experts in September 2021.] In early November, cybersecurity company Sekoia detected it using QNAP NAS devices as command and control servers (C2) servers, while Microsoft stated it discovered harmful artefacts tied to this worm produced in 2019. 

Redmond's findings are consistent with those of Red Canary's Detection Engineering team, which discovered this worm on the networks of several clients, including several in the technology and manufacturing industries. Despite the fact that Microsoft saw the malware communicating to Tor network addresses, the threat actors are yet to exploit the access they gained to their victims' networks. 

As already mentioned, Raspberry Robin is spreading to new Windows frameworks by means of contaminated USB drives containing a noxious .LNK document. When the USB gadget is joined and the user taps the link, the worm brings forth a msiexec interaction utilizing cmd.exe to send off a noxious document put away on the contaminated drive. It infects new Windows gadgets, speaks with its order and control servers (C2), and executes noxious payloads utilizing a few genuine Windows utilities: 
  • fodhelper (a trusted binary for managing features in Windows settings),
  • msiexec (command line Windows Installer component),
  • and odbcconf (a tool for configuring ODBC drivers).
"While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware," Red Canary researchers explained. "Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes."

Security specialists who have seen Raspberry Robin in the wild are yet to link the malware to a threat group and are yet dealing with tracking down its administrators' ultimate objective. In any case, Microsoft has labelled this mission as high-risk, considering that the attackers could download and convey extra malware inside the casualties' organizations and heighten their honours anytime.
Share it: