Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Raspberry Robin. Show all posts

Raspberry Robin Worm Threats Uncovered by Microsoft

According to Microsoft Security Threat Intelligence analysts, threat actors have continued to target Raspberry Robin virus victims, indicating that the worm's creators have sold access to the infected devices to other ransomware gangs.

Raspberry Robin is malware that infects Windows systems via infected USB devices. It is also known as QNAP Worm due to the usage of compromised QNAP storage servers for command and control.

The malware loader Bumblebee, the Truebot trojan, and IdedID also known as BokBot, a banking trojan, have all been distributed using Raspberry Robin. Microsoft analysts claim that hackers also instructed it to launch the LockBit and Clop ransomware on hijacked computers.

The FakeUpdates malware, which resulted in DEV-0243 activity, was installed on Raspberry Robin-infected devices in July 2022, according to a report from Microsoft. DEV-0243 is a ransomware-focused threat actor with ties to EvilCorp that is also thought to have used the LockBit ransomware in some campaigns.

A malicious payload associated with Raspberry Robin has reportedly been the subject of at least one alert on almost 3,000 devices across 1,000 companies, according to data gathered by Microsoft's Defender for Endpoint product over the past 30 days.

When Raspberry Robin-infected devices were updated with the FakeUpdates backdoor earlier in July, Microsoft analysts discovered Evil Corp's pre-ransomware behavior on those networks. The activity was linked to the access broker monitored as DEV-0206, and it was seen during that time period.

In September, IBM's Security X-Force discovered additional linkages between Raspberry Robin and Dridex, including structural and functional parallels between a Raspberry Robin DLL and a malware loader used by Dridex.

Microsoft further speculated that the hackers of such malware operations linked to Raspberry Robin are funding the worm's operators for payload distribution, allowing them to stop using phishing as a method of acquiring new victims. According to Microsoft, the malware is anticipated to develop into a threat that is severe.

This New Raspberry Robin Worm Utilizes Windows Installer to Drop Malware

 

A new Windows malware with worm capabilities has been identified by Red Canary intelligence investigators, and it spreads via external USB sticks. This malware is associated with the Raspberry Robin malware cluster, which was initially discovered in September 2021. (cybersecurity firm Sekoia tracks this malware as "QNAP worm"). 

The worm was discovered in many customers' networks by Red Canary's Detection Engineering team, including companies in the technology and manufacturing sectors. When a USB drive carrying a malicious.LNK file is attached, Raspberry Robin spreads to new Windows systems.

The worm launches a new process using cmd.exe to launch a malicious file stored on the infected drive after it has been attached. It reaches out to its command-and-control (C2) servers via Microsoft Standard Installer (msiexec.exe), which are most likely hosted on infected QNAP devices and utilise TOR exit nodes as additional C2 infrastructure. 

The researchers said, "While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware. Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes." 

They believe the malware downloads a malicious DLL file [1, 2] on affected workstations to resist eradication between restarts, albeit they haven't determined how it achieves persistence. This DLL is started by Raspberry Robin using two other trusted Windows utilities: fodhelper (a trusted binary for controlling features in Windows settings) and odbcconf (a tool for configuring ODBC drivers). 

The first permits it to get through User Account Control (UAC), while the second assists in the execution and configuration of the DLL. While Red Canary analysts have been able to extensively examine what the newly found malware performs on affected systems, some questions remain unanswered. 

The researchers stated, "First and foremost, we don't know how or where Raspberry Robin infects external drives to perpetuate its activity, though it's likely this occurs offline or otherwise outside of our visibility. We also don't know why Raspberry Robin installs a malicious DLL. One hypothesis is that it may be an attempt to establish persistence on an infected system, though additional information is required to build confidence in that hypothesis." 

Red Canary's report contains more technical details on the Raspberry Robin worm, including indicators of compromise (IOCs) and an ATT&CK of this malware.