Cybersecurity researchers have discovered a new Windows malware with worm-like capabilities and is propagated by means of removable USB devices.
Attributing the malware to a cluster named “Raspberry Robin,” Red Canary researchers noted that the worm “leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL.”
The earliest signs of the activity are said to date back to September 2021, with infections observed in organizations with ties to technology and manufacturing sectors.
Attack chains pertaining to Raspberry Robin start with connecting an infected USB drive to a Windows machine. Present within the device is the worm payload, which appears as a .LNK shortcut file to a legitimate folder.
The worm then takes care of spawning a new process using cmd.exe to read and execute a malicious file stored on the external drive.
This is followed by launching explorer.exe and msiexec.exe, the latter of which is used for external network communication to a rogue domain for command-and-control (C2) purposes and to download and install a DLL library file.
The malicious DLL is subsequently loaded and executed using a chain of legitimate Windows utilities such as fodhelper.exe, rundll32.exe to rundll32.exe, and odbcconf.exe, effectively bypassing User Account Control (UAC).
Also common across Raspberry Robin detections so far is the presence of outbound C2 contact involving the processes regsvr32.exe, rundll32.exe, and dllhost.exe to IP addresses associated with Tor nodes.
That said, the operators’ objectives remain unanswered at this stage. It’s also unclear how and where the external drives are infected, although it’s suspected that it’s carried out offline.
“We also don’t know why Raspberry Robin installs a malicious DLL,” the researchers said. “One hypothesis is that it may be an attempt to establish persistence on an infected system.”