September 24, 2022

COSFONE

Networking, PBX, IT, DIY Solution

Red Canary warns Raspberry Robin malware spreads via USB drives

3 min read

Red Canary warns Raspberry Robin malware spreads via USB drives



 

Red Canary warns Raspberry Robin malware spreads via USB drives

Red Canary security researchers have just revealed a “Raspberry Robin” malware targeting businesses, a worm known to infect Windows PCs via infected external hard drives.

In fact, as early as November 2021, the network security intelligence company Sekoia has already exposed the “QNAP worm” exploited by “Raspberry Robin”.

But since September, Red Canary has continued to track it in the networks of certain technology and manufacturer customers.

 

Red Canary warns Raspberry Robin malware spreads via USB drives

(From: Red Canary official website )

 

Aside from the nature of the malware that lurks under the banner, we don’t yet know what the actual purpose of the “Raspberry Robin” malware is.

 

Red Canary warns Raspberry Robin malware spreads via USB drives

Attack flow chart

 

When users connect an infected USB drive to their computer, Raspberry Robin surreptitiously starts the spread.

 

Red Canary warns Raspberry Robin malware spreads via USB drives

Use the ROT13.lnk file to modify the registry

 

The worm disguises itself as a .lnk shortcut file and then invokes the Windows Command Prompt (cmd.exe) to launch the malware.

 

Red Canary warns Raspberry Robin malware spreads via USB drives

cmd.exe command for Raspberry Robin

 

It then uses Microsoft‘s standard installer ( MSI exec.exe) to connect to a remote command-and-control (C2) server — usually a vulnerable QNAP device — to sanitize the attacker’s exit node through the latter’s exit node. Exact network traces.

 

Red Canary warns Raspberry Robin malware spreads via USB drives

Mixed-case commands referencing device names

 

Red Canary speculates that the Raspberry Robin maintains a long-term dormant state by installing malicious dynamic-link library (DLL) files from the C2 server.

 

Malicious msiexec.exe command for Raspberry Robin

 

The malware then leverages two utilities included in Windows to call the DLL – the Windows Settings Manager (fodhelper) designed to bypass User Account Control (UAC), and the ODBC Driver Configuration Tool (odbcconf) for Execute and configure the DLL.

 

Malicious rundll32.exe command

 

However, security researchers admit that this is only a working hypothesis, and they do not yet know the role of the DLL in question or how the malware spreads using a USB drive.

 

 



Copyright © All rights reserved. | Newsphere by AF themes.