The malware Raspberry Robin is distributed via external drives and uses Microsoft Standard installer to execute malicious commands.
Red Canary’s Detection Engineering team has discovered a new worm-like Windows malware being distributed via removable USB drives. The malware was detected in several customer networks, mainly in the manufacturing and technology sectors.
About Raspberry Robin
Red Canary intelligence analysts attributed the malware to the Raspberry Robin cluster, noting that the worm leverages “Windows Installer” to access QNAP-linked domains and download a malicious DLL.
Raspberry Robin’s activity was first documented in September 2021. The operator’s objective is unclear, and researchers are also clueless about when and how the external drives get infected. They suspect that this infection occurs offline.
Attack Chain Details
Raspberry Robin’s attack chain starts with connecting an infected external/USB drive to a Windows device. Researchers noted that adversaries use msiexec.exe to deliver malware while “Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.
Lauren Podber and Stef Rand
Red Canary
The external drive is equipped with the worm payload that appears as a .LNK shortcut file in a legit folder. The worm creates a new process using cmd.exe to read/execute the malicious file on the USB drive.
According to Red Canary’s blog post, once this is done, the worm launches explorer.exe and msiexec.exe. The latter is used to establish network communication with a rogue domain and for downloading/installing the DLL library file.
This DLL file is loaded and executed using legitimate Windows utilities like rundll32.exe, fodhelper.exe, and odbcconf.exe to bypass the UAC (User Account Control). Researchers also detected an outbound C2 contact involving regsvr32.exe, dllhost.exe, and rundll32.exe processes to IP addresses linked with Tor nodes.
Regarding why the worm installs a malicious DLL, the researchers were unclear. They hypothesized that it could be done to maintain persistence on the infected machine.
