Defined: How a ‘Home windows worm’ unfold throughout company networks by way of USB drives

Microsoft has not too long ago found a malicious “Home windows worm” that has already unfold its claws into a number of company networks. In keeping with a report by TechRadar, the software program large has quietly notified its findings to the businesses subscribed to Microsoft Defender for Endpoint, In the meantime, the corporate’s safety analysis workforce has defined that this malware, named Raspberry Robin, has not but been used. Nonetheless, “it has been noticed connecting to a number of addresses on the Tor community.”
What’s Raspberry Robin
In 2021, the researchers from Crimson Canary found a “cluster of malicious exercise” and recognized the Raspberry Robin malware for the primary time, the report states. As per the report, the malware is “normally distributed offline,” by way of compromised USB drives. Furthermore, the researchers have additionally studied an contaminated drive to find that the worm is unfold to new units by way of a “malicious .LNK file.”
How did the malware unfold
Because the contaminated USB drives are linked to a brand new machine, the worm triggers a brand new course of by way of cmd.exe and runs the file on the compromised endpoint. Furthermore, the researchers have additionally talked about that the worm makes use of Microsoft Normal Installer (msiexec.exe) to contact its command and management (C2) server, the report claims. As per speculations, the server is “hosted on a compromised QNAP NAS machine” the place TOR exit nodes are getting used as further C2 infrastructure. In 2021, cybersecurity specialists at Sekoia additionally noticed this worm utilizing QNAP NAS units as C2 servers.
The report states, “Whereas msiexec.exe downloads and executes reliable installer packages, adversaries additionally leverage it to ship malware. Raspberry Robin makes use of msiexec.exe to try exterior community communication to a malicious area for C2 functions.”
How is the malware getting used
As per the report, researchers haven’t been in a position to hyperlink the malware to a particular risk actor. Furthermore, they don’t seem to be even positive concerning the intentions of the malware because it’s not being actively used, the report suggests. In the meantime, a researcher additionally not too long ago stated, “We additionally don’t know why Raspberry Robin installs a malicious DLL,
One of many theories could be the malware’s try “to determine persistence on an contaminated system.” Nonetheless, that is only a speculation which isn’t confirmed but and extra info is required to construct confidence on this principle, the report claims.