Intelligence analysts at Red Canary recently unearthed a brand new piece of Windows malware.

Equipped with worm capabilities, the malicious software is designed to spread by utilising external USB drives. The malware is closely associated with a spate of insidious activity that was initially observed back in September last year and was given the name Raspberry Robin.

Discovery of a Windows worm

The Detection Engineering team at Red Canary identified the worm in several customers’ dedicated networks. Some of the enterprises with impacted systems operated in the manufacturing industry, while others were in technology.

The Raspberry Robin malware infects new Windows systems when a harmful USB drive that contains a malicious .LNK file ports in.

Once connected, the worm launches a new cmd.exe process to unleash a malicious file located within infected drives. To install the malware, the attack abuses authentic tools offered in Windows.

It employs Microsoft’s Standard Installer to contact its command-and-control servers, often hosted on a compromised QNAP device and utilising TOR exit nodes as supporting C2 infrastructure.

Researchers at Red Canary commented:

“While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware. Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.”

The research team has not yet found if Raspberry Robin establishes persistence and if so, what methods it uses. However, the team suspects that the malicious software installs an infected DLL file on compromised devices to resist any attempts at removal in between machine restarts.

The malware launches the DLL file with the assistance of two more legitimate Windows tools. These include odbcconf (the tool for setting up ODBC drivers) and Fodhelper (the trusted binary used for managing features within Windows settings). The former helps the malware to execute and configure the malicious DLL file, while the latter enables it to circumnavigate the User Account Control.

Getting to grips with a worm infection flow

Although the expert team at Red Canary has managed to examine what the Raspberry Robin worm does when unleashed on compromised systems, the analysts still have several questions requiring answers.

The Red Canary team explained:

“First and foremost, we don’t know how or where Raspberry Robin infects external drives to perpetuate its activity, though it’s likely this occurs offline or otherwise outside of our visibility. We also don’t know why Raspberry Robin installs a malicious DLL.”

Among its many hypotheses for the malware’s installation of the insidious DLL file is the theory that this step may be part of the attackers attempt to stay present and active on infected systems. However, the team admits that to increase confidence in its hypothesis regarding persistence, it will need to gather additional information.

As no data exists at present on the malware’s end-stage tasks, the analysts are also mystified as to what the threat operators’ goal is. Red Canary has now shared all technical details of the Raspberry Robin worm, such as indicators of compromise, in its official report.