Cybersecurity researchers are drawing focus to an ongoing wave of attacks joined to a danger cluster tracked as Raspberry Robin that is powering a Windows malware with worm-like abilities.
Describing it as a “persistent” and “spreading” threat, Cybereason stated it noticed a number of victims in Europe.
The infections contain a worm that propagates around removable USB products that contains destructive a .LNK file and leverages compromised QNAP network-hooked up storage (NAS) equipment for command-and-control. It was very first documented by researchers from Red Canary in Could 2022.

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Also codenamed QNAP worm by Sekoia, the malware leverages a reputable Windows installer binary referred to as “msiexec.exe” to download and execute a malicious shared library (DLL) from a compromised QNAP NAS appliance.
“To make it tougher to detect, Raspberry Robin leverages procedure injections in 3 reputable Windows technique processes,” Cybereason researcher Loïc Castel explained in a specialized publish-up, including it “communicates with the rest of [the] infrastructure by means of TOR exit nodes.”
Persistence on the compromised device is obtained by creating Windows Registry modifications to load the destructive payload by way of the Windows binary “rundll32.exe” at the startup section.
The marketing campaign, which is believed to date back again to September 2021, has remained a little something of a thriller so significantly, with no clues as to the risk actor’s origin or its close objectives.
The disclosure comes as QNAP reported it is actively investigating a new wave of Checkmate ransomware bacterial infections targeting its devices, building it the most up-to-date in a collection of attacks following AgeLocker, eCh0raix, and DeadBolt.
“Preliminary investigation signifies that Checkmate attacks by using SMB services uncovered to the internet, and employs a dictionary attack to break accounts with weak passwords,” the corporation noted in an advisory.
“At the time the attacker correctly logs in to a product, they encrypt details in shared folders and go away a ransom take note with the file identify “!CHECKMATE_DECRYPTION_README” in each and every folder.”
As safeguards, the Taiwanese corporation recommends clients to not expose SMB services to the internet, boost password energy, get frequent backups, and update the QNAP operating method to the hottest model.
Located this report fascinating? Observe THN on Facebook, Twitter and LinkedIn to go through more distinctive information we put up.
Some components of this report are sourced from:
thehackernews.com