(416) 825-2120
info@veiliant.com
Free IT Assessment
  • About
  • Services
    • Fully Managed IT
    • Cloud Services
    • Software Development
    • Business Continuity
    • Cyber Security
    • Professional IT Consulting
  • Our Team
  • Blog
  • Contact
Remote Support

Microsoft Finds Raspberry Robin Worm in Hundreds of Windows Networks

Posted on 2 Jul at 12:41 pm

Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors.

The malware, dubbed Raspberry Robin, spreads via infected USB devices, and it was first spotted in September 2021 by Red Canary intelligence analysts.

Cybersecurity firm Sekoia also observed it using QNAP NAS devices as command and control servers (C2) servers in early November [PDF], while Microsoft said it found malicious artifacts linked to this worm created in 2019.

Redmond’s findings align with those of the Red Canary’s Detection Engineering team, which also detected this worm on the networks of multiple customers, some of them in the technology and manufacturing sectors.

Although Microsoft observed the malware connecting to addresses on the Tor network, the threat actors are yet to exploit the access they gained to their victims’ networks.

This is in spite of the fact that they could easily escalate their attacks given that the malware can bypass User Account Control (UAC) on infected systems using legitimate Windows tools.

Microsoft shared this info in a private threat intelligence advisory shared with Microsoft Defender for Endpoint subscribers and seen by BleepingComputer.

Raspberry Robin worm infection flow
Raspberry Robin worm infection flow (Red Canary)

Abuses Windows legitimate tools to infect new devices

As already mentioned, Raspberry Robin is spreading to new Windows systems via infected USB drives containing a malicious .LNK file.

Once the USB device is attached and the user clicks the link, the worm spawns a msiexec process using cmd.exe to launch a malicious file stored on the infected drive.

It infects new Windows devices, communicates with its command and control servers (C2), and executes malicious payloads using several legitimate Windows utilities:

  • fodhelper (a trusted binary for managing features in Windows settings),
  • msiexec (command line Windows Installer component),
  • and odbcconf (a tool for configuring ODBC drivers).

“While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware,” Red Canary researchers explained.

“Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.”

Security researchers who spotted Raspberry Robin in the wild are yet to attribute the malware to a threat group and are still working on finding its operators’ end goal.

However, Microsoft has tagged this campaign as high-risk, given that the attackers could download and deploy additional malware within the victims’ networks and escalate their privileges at any time.

Previous Post
Microsoft: Windows Server 2012 Reaches End of Support in October 2023
Next Post
CRTC Orders Rogers to Explain its Network Failure

Recent Posts

  • Microsoft Patches Windows DogWalk Zero-day Exploited in Attacks August 9, 2022
  • Microsoft Defender Now Better at Blocking Ransomware on Windows 11 August 2, 2022
  • VMware Urges Admins to Patch Critical Auth Bypass Bug Immediately August 2, 2022
  • Microsoft Exchange Servers Increasingly Hacked with IIS Backdoors July 26, 2022
  • Microsoft warns Windows 10 USB Printing Breaks Due to Recent Updates July 25, 2022

Categories

  • Cybersecurity (81)
  • Machine Learning (1)
  • News (39)
  • Robotic Process Automation (4)

Partners and Affiliates

Manufacturers matter. We partner with industry leaders that focus on business technology solutions. Let us help you find the right fit for your organization. Our partners offer great support, education, and benefits that we pass down to our clients.

 

About Us

Veiliant Inc. is a Managed Service Provider that offers many flexible services. We strive to meet the growing demand for computer support services needed for business success.

Veiliant has a proactive approach to help create innovative solutions devised  with your business goals in mind.

Our Services

  • Fully Managed IT
  • Cloud Services
  • Software Development
  • Business Continuity
  • Professional IT Consulting
  • Cyber Security

Related Links

  • FAQ
  • Privacy Policy

Contact Information

5155 Spectrum Way, Unit 1, Mississauga, ON, L4W 5A1
(416) 825-2120

Customer Support

  • Remote Support
  • Free IT Assessment

© 2022 Veiliant Inc. All rights reserved.