Red Canary warns Raspberry Robin malware spreads via USB drives
2 min readRed Canary warns Raspberry Robin malware spreads via USB drives
Red Canary warns Raspberry Robin malware spreads via USB drives
Red Canary security researchers have just revealed a “Raspberry Robin” malware targeting businesses, a worm known to infect Windows PCs via infected external hard drives.
In fact, as early as November 2021, the network security intelligence company Sekoia has already exposed the “QNAP worm” exploited by “Raspberry Robin”.
But since September, Red Canary has continued to track it in the networks of certain technology and manufacturer customers.
(From: Red Canary official website )
Aside from the nature of the malware that lurks under the banner, we don’t yet know what the actual purpose of the “Raspberry Robin” malware is.
Attack flow chart
When users connect an infected USB drive to their computer, Raspberry Robin surreptitiously starts the spread.
Use the ROT13.lnk file to modify the registry
The worm disguises itself as a .lnk shortcut file and then invokes the Windows Command Prompt (cmd.exe) to launch the malware.
cmd.exe command for Raspberry Robin
It then uses Microsoft‘s standard installer ( MSI exec.exe) to connect to a remote command-and-control (C2) server — usually a vulnerable QNAP device — to sanitize the attacker’s exit node through the latter’s exit node. Exact network traces.
Mixed-case commands referencing device names
Red Canary speculates that the Raspberry Robin maintains a long-term dormant state by installing malicious dynamic-link library (DLL) files from the C2 server.
Malicious msiexec.exe command for Raspberry Robin
The malware then leverages two utilities included in Windows to call the DLL – the Windows Settings Manager (fodhelper) designed to bypass User Account Control (UAC), and the ODBC Driver Configuration Tool (odbcconf) for Execute and configure the DLL.
Malicious rundll32.exe command
However, security researchers admit that this is only a working hypothesis, and they do not yet know the role of the DLL in question or how the malware spreads using a USB drive.
