Raspberry Robin gets the QNAP Worm

10479909677?profile=RESIZE_400xResearchers at Red Canary cyber intelligence have discovered a new Windows malware with worm capabilities that spreads using external USB drives.  This malware is linked to a cluster of malicious activity titled Raspberry Robin and was first observed in September 2021 (cybersecurity firm Sekoia tracks this malware as "QNAP worm").  Red Canary's Detection Engineering team detected the worm in multiple customers' networks, some in the technology and manufacturing sectors.

Raspberry Robin spreads to new Windows systems when an infected USB drive containing a malicious .LNK file is connected.  Once attached, the worm spawns a new process using cmd.exe to launch a malicious file stored on the infected drive.[1]

 At @sekoia_io analysts tracked it under the name "QNAP worm" even they seem to have shifted recently to some SOHO routers since the DeadBolt event that targeted few of their C2s :) https://t.co/RzvKi9JUn4   — Félix Aimé (@felixaime) May 6, 2022

Windows legitimate tools abused to install malware:  It uses Microsoft Standard Installer (msiexec.exe) to reach out to its command-and-control (C2) servers, likely hosted on compromised QNAP devices and using TOR exit nodes as additional C2 infrastructure.  "While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware," the researchers said.  "Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes."

While they have not yet found if it establishes persistence and through which methods, they suspect that the malware installs a malicious DLL file [1, 2] on compromised machines to resist removal between restarts.  Raspberry Robin launches this DLL with the help of two other legitimate Windows utilities: fodhelper (a trusted binary for managing features in Windows settings) and odbcconf (a tool for configuring ODBC drivers).  The first allows it to bypass User Account Control (UAC), while the second will help execute and configure the DLL.

While the Red Canary analysts have been able to closely inspect what the newly discovered does on infected systems, there are still several questions that need to be answered.  "First and foremost, we don't know how or where Raspberry Robin infects external drives to perpetuate its activity, though it's likely this occurs offline or otherwise outside of our visibility. We also don't know why Raspberry Robin installs a malicious DLL," the researchers said.  "One hypothesis is that it may be an attempt to establish persistence on an infected system, though additional information is required to build confidence in that hypothesis."

Since there is no info on this malware's end-stage malicious tasks, another question that needs an answer is, “what is the Raspberry Robin operators' goal.”  Further technical information on the Raspberry Robin worm, including indicators of compromise (IOCs) and an ATT&CK of this malware, can be found in Red Canary's report.[2]

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com    

Weekly Cyber Intelligence Briefings:

 Weekly Cyber Intelligence Briefings:

 REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://www.bleepingcomputer.com/news/security/new-raspberry-robin-worm-uses-windows-installer-to-drop-malware/

[2] https://redcanary.com/blog/raspberry-robin/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!