• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
usb based wormable malware targets windows installer

USB-based Wormable Malware Targets Windows Installer

You are here: Home / Latest Cyber Security Vulnerabilities / USB-based Wormable Malware Targets Windows Installer
May 6, 2022

Action dubbed ‘Raspberry Robin’ makes use of Microsoft Regular Installer and other respectable processes to communicate with menace actors and execute nefarious commands.

Credit score: Red Canary

Wormable malware dubbed Raspberry Robin has been lively considering the fact that final September and  is wriggling its way by means of USB drives on to Windows devices to use Microsoft Normal Installer and other reputable processes to put in destructive documents, scientists have observed.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Scientists at Red Canary Intelligence initially commenced monitoring the destructive action in the tumble when it commenced as a handful of detections with identical properties initial noticed in multiple customers’ environments by Jason Killam from Purple Canary’s Detection Engineering staff.

As soon as the worm spreads by way of a USB push to someone’s machine, the activity depends on msiexec.exe to get in touch with out to its infrastructure–which is typically comprised of QNAP devices–using HTTP requests that have a victim’s person and machine names, Purple Canary’s Lauren Podber and Stef Rand wrote in a website post released Thursday.

Researchers also observed Raspberry Robin use TOR exit nodes as added command and command (C&C) infrastructure, they wrote. At some point the worm installs malicious dynamic link library (DLL) files located on the infected USB.

Whilst researchers initially noticed Raspberry Robin as early as September 2021, most of the exercise noticed by Pink Canary transpired all through January of this calendar year, researchers stated.

Unanswered Questions

Nevertheless scientists observed different procedures and executions by the malicious exercise, they acknowledged that these observations have remaining a number of unanswered issues.

The group has not nevertheless figured out how or where Raspberry Robin infects external drives to perpetuate its activity, although it’s most likely this infection takes place offline or “otherwise exterior of our visibility,” researchers explained.

They also don’t know why Raspberry Robin installs a malicious DLL, whilst they imagine it may well be to  attempt to establish persistence on an contaminated system–though there is not ample proof to make this conclusive, scientists acknowledged.

Even so, the major issue mark encompassing the worm is the objective of the danger actors powering it, researchers claimed.

“Absent supplemental information and facts on later-stage exercise, it is hard to make inferences on the objective or ambitions of these campaigns,” they acknowledged.

First Entry and Execution

Contaminated detachable drives—typically USB devices—introduce the Raspberry Robin worm as a shortcut LNK file masquerading as a respectable folder on the infected USB machine, researchers said. LNK data files are Windows shortcuts that position to and are made use of to open a different file, folder, or software.

Before long immediately after the contaminated drive is related to the system, the worm updates the UserAssist registry entry and data execution of a ROT13-ciphered value referencing a LNK file when deciphered. For instance, researchers noticed the price q:erpbirel.yax becoming deciphered to d:recovery.lnk, they wrote.

Execution commences when Raspberry Robin works by using cmd.exe to go through and execute a file saved on the infected external push, scientists explained.

“The command is constant across Raspberry Robin detections we have found so considerably, producing it responsible early proof of possible [worm] exercise,” they pointed out.

In the following stage of execution, cmd.exe generally launches explorer.exe and msiexec.exe. The former’s command line can be a mixed-situation reference to an exterior device–a person’s identify, like LAUREN V or the identify of the LNK file, researchers mentioned.

The worm “also extensively employs mixed-scenario letters in its commands,” most likely to stay clear of detection, researchers added.

Secondary Execution

Raspberry Robin uses the 2nd executable introduced, msiexec.exe , to attempt external network interaction to a malicious domain for command and management reasons, researchers unveiled.

In numerous illustrations of the activity that scientists have noticed, the worm has employed msiexec.exe to put in a malicious DLL file despite the fact that, as described ahead of, they still aren’t specific what the objective of the DLL is.

The worm also works by using msiexec.exe to start a reputable Windows utility, fodhelper.exe, which in convert spawns rundll32.exe to execute a malicious command, they observed.

“Processes introduced by fodhelper.exe operate with elevated administrative privileges with out demanding a Person Account Control prompt,” researchers observed. As this is strange conduct for the utility, this exercise can be utilized to detect the existence of Raspberry Robin on an contaminated machine, they claimed.

The rundll32.exe command then starts off a further legitimate Windows utility– odbcconf.exe–and passes in more commands to execute and configure the a short while ago-set up malicious DLL file, researchers mentioned.


Some elements of this post are sourced from:
threatpost.com

Previous Post: «researchers warn of 'raspberry robin' malware spreading via external drives Researchers Warn of ‘Raspberry Robin’ Malware Spreading via External Drives
Next Post: Dell calls time on the age-old on-prem vs cloud rivalry dell calls time on the age old on prem vs cloud rivalry»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • WhatsApp Unveils Proxy Support to Tackle Internet Censorship
  • Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub
  • Blind Eagle Hacking Group Targets South America With New Tools
  • US Family Planning Non-Profit MFHS Confirms Ransomware Attack
  • Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS
  • Dridex Malware Now Attacking macOS Systems with Novel Infection Method
  • Cyber attacks on UK organisations surged 77% in 2022, new research finds
  • WhatsApp to combat internet blackouts with proxy server support
  • The IT Pro Podcast: Going passwordless
  • Podcast transcript: Going passwordless

Copyright © TheCyberSecurity.News, All Rights Reserved.