Urian B., Tech Times

Microsoft has just released an official private intelligence advisory that informs organizations regarding a worm known as the Raspberry Robin threat. The threat has reportedly infected hundreds of different Windows networks.

Raspberry Robin Threat and How It Traveled Through Infected USBs

As reported by BleepingComputer, Raspberry Robin travels through infected USB devices, and this is how it spreads. In order for the threat to spread, it still needs a user to insert a USB device and click on a malicious file.

The file is a .LNK file, and after this, the worm then uses the Windows command in order to prompt in order to be able to launch a msiexec process. After this, it runs a malicious file which is also found on the device.

Command and Control Servers Used Short URLs

According to the story by PC Mag, a connection is then made with both a command and control server by using the short URL. Should this be successful, a number of different DLL malicious files are then downloaded and installed.

The odbcconf.exe is a legitimate Windows utility that is used in order for the DLLs to be executed. The worm then repeatedly tries to connect with different Tor network nodes.

The Real Danger Lies Between How the Creators of the Malware Would Take Advantage of the Infected Windows Network

Some of the "command and control servers" that are reportedly being used are said to be infected QNAP NAS devices. The real danger is that whoever was able to successfully deploy the Raspberry Robin has still to "take advantage of the infected Windows network."

The malware being introduced by the worm is actually capable of bypassing Windows User Account Control (UAC) and has already been able to prove that it can use the utilities available within the operating system.

The Goal of the Raspberry Robin Threat Remains Unknown

Although the goal of the Raspberry Robin remains unknown, the control it holds over the network means that new malware can easily be downloaded and deployed in a very fast manner.

Microsoft has already flagged down the Raspberry Robin, calling it a "high-risk campaign" with good reason. For now, there does not seem to be any other mitigation process spotted aside from plugging the suspicious USB directly into a Windows network.

Read Also: HackerOne Employee Fired After Leaking Security Bug Reports! Here's Why His Action is Illegal

Observations of the Raspberry Robin Threat Started in September 2021

Red Canary, the intelligence analyst, produced a detailed report regarding the worm all the way back in May. The report offered a deeper look at how the worm works.

As per the report, the malware was initially spotted back in September 2021 by the Red Canary intelligence analysts. Sekoia, a cybersecurity firm, was also observing it and used the QNAP NAS devices servers in early November

Microsoft notes that the malicious artifacts that were linked to the creation of the worm date all the way back to 2019.

Related Article: Chinese Regulators Reveal its Crackdown on Fraudulent Apps for Months as Scammers Mimic Financial Services

This article is owned by Tech Times

Written by Urian B.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Tags: raspberry robin Microsoft USB
Join the Discussion