Microsoft discovered a Windows worm in the networks of hundreds of organizations from various industries.
The malware, called Raspberry Robin, spreads via infected USB devices and was first detected in September 2021 by Red Canary analysts.
Η company security researcher Sekoia found the same worm using QNAP NAS devices as command and control (C2) servers in early November [PDF], while Microsoft said it discovered malicious packages linked to this worm created in 2019.
Redmond's findings are very much in line with those of the Red Canary's Detection team Engineering, which also detected this worm in the networks of many of its customers.
Although Microsoft noticed the malware connecting to addresses on the Tor network, the attackers have yet to touch their victims' computers despite already having access.
Malware can bypass User Account Control (UAC by User Account Control) on infected systems using certain Windows tools.
As we already mentioned, Raspberry Robin spreads to Windows systems via infected USB drives containing a malicious .LNK file.
As soon as the device USB and the user clicks on the connection, the worm creates an msiexec process using cmd.exe to launch a malicious file stored on the infected USB.
It infects new Windows devices, communicates with command and control (C2) servers, and runs malicious packages using various Windows utilities:
- fodhelper (a trusted Windows executable),
- msiexec ( element lineof Windows Installer commands),
- and odbcconf (a tool for configuring ODBC drivers).
The security researchers who discovered Raspberry Robin have not yet identified where it came from but are still looking for the malicious developers' digital footprints.
Microsoft has already labeled this campaign "high risk," as attackers can download and deploy additional malware on their victims' networks. Of course they can start causing damage at any time.