Explained: How a ‘Windows worm’ spread across corporate networks through USB drives – Times of India

banner img
As the infected USB drives are connected to a new device, the worm triggers a new process through cmd.exe and runs the file on the compromised endpoint. Representative Image

Microsoft has recently discovered a malicious “Windows worm” that has already spread its claws into several corporate networks. According to a report by TechRadar, the software giant has quietly notified its findings to the companies subscribed to Microsoft Defender for Endpoint. Meanwhile, the company’s security research team has explained that this malware, named Raspberry Robin, has not yet been used. However, “it has been observed connecting to multiple addresses on the Tor network.”
What is Raspberry Robin
In 2021, the researchers from Red Canary discovered a “cluster of malicious activity” and identified the Raspberry Robin malware for the first time, the report states. As per the report, the malware is “usually distributed offline,” through compromised USB drives. Moreover, the researchers have also studied an infected drive to discover that the worm is spread to new devices through a “malicious .LNK file.”
How did the malware spread
As the infected USB drives are connected to a new device, the worm triggers a new process through cmd.exe and runs the file on the compromised endpoint. Moreover, the researchers have also mentioned that the worm uses Microsoft Standard Installer (msiexec.exe) to contact its command and control (C2) server, the report claims. As per speculations, the server is “hosted on a compromised QNAP NAS device” where TOR exit nodes are being used as additional C2 infrastructure. In 2021, cybersecurity experts at Sekoia also observed this worm using QNAP NAS devices as C2 servers.
The report states, “While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware. Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.”
How is the malware being used
As per the report, researchers haven’t been able to link the malware to a specific threat actor. Moreover, they are not even sure about the intentions of the malware as it’s not being actively used, the report suggests. Meanwhile, a researcher also recently said, “We also don’t know why Raspberry Robin installs a malicious DLL.”
One of the theories can be the malware’s attempt “to establish persistence on an infected system.” However, this is just a hypothesis which is not proven yet and more information is required to build confidence in this theory, the report claims.

FOLLOW US ON SOCIAL MEDIA

FacebookTwitterInstagramKOO APPYOUTUBE

For all the latest Technology News Click Here 

Read original article here

Denial of responsibility! TechAI is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.