Hundreds of Windows Networks Affected By “Raspberry Robin” Malware – Microsoft

Posted on July 7, 2022 at 3:27 AM

Hundreds of Windows Networks Affected By “Raspberry Robin” Malware – Microsoft

Tech giant Microsoft reported that malware dubbed “Raspberry Robin” has infected hundreds of Windows networks across several sectors. Although threats posed by ransomware are more common in cyberspace, malware and worms can be very disruptive and damaging to their targets.

While the attack has been identified, there is no information about the threat group responsible for the attack or their reasons behind the attack. According to the report, the malware compromises the system via infected USB devices. It was first discovered last September by the Red Canary intelligence analysts.

According to cybersecurity firm Sekoia, the malware was observed utilizing QNAP NAS devices as its command and control servers (C2) in November last year. Microsoft added that some malicious artifacts connected to the worm were discovered in 2019, but there was no link between the artifacts and the worm at the time.

The findings of the Red Canary Detection Engineering team collaborate with the findings of Redmond. Both parties detected the malware on the networks of several customers, some of them in the manufacturing and technology sectors.

The Hackers Have Not Accessed The Exploit

Microsoft said the worm connects to addresses on the Tor network. However, the hackers have not been able to exploit the access exploit they gained in the breach yet. The evidence shows that they have made progress in accessing the network since the malware is capable of bypassing User Account Control (UAC) on infected systems via legitimate Windows tools.

Microsoft provided the details of its discovery in a threat intelligence advisory and specifically mentioned that the infected USB drives used to spread the malware contained a malicious.LINK file.

After the user attaches the USB device and clicks the link, the malware begins a msiexec process using cmd.exe to launch the malware-infested file stored on the drive.  From there, it can infect new Windows devices and connects with the C2 servers. It then uses different legitimate Windows utilities to execute malicious payloads.

These windows utilities include odbcconf, msiexec, and fodhelper. The first one is a tool used to configure ODBC drivers while the msiexec tool is a command-line Windows Installer component. On the other hand, the fodhelper is a legitimate binary that is used to manage features in Windows settings.

The Malware Is Not Linked To Any Threat Group

Red Canary researchers noted that msiexec.exe is used for downloading and executing legitimate installer packages while adversaries can take advantage of the tool to deliver malware.

Additionally, msiexec is used by the malware to ensure external network communication with a malicious domain to align with the C2 servers. It helps to keep communication between the malware properties and the central control servers active.

The security researchers that discovered the malware in the wild have not linked it to any threat group. But Microsoft has already called the campaign high-risk since the threat actors are capable of downloading and deploying additional malware with the targets’ networks. The attackers have the ability and access to increasing their privileges within the network, which makes it very dangerous, according to the tech giant.

 The Malware Uses LNK Files

The researchers also stated that the worm utilizes LNK files and takes the icons of removable devices to spread the malware. Apart from through USB devices, the malware can be distributed via network shares as well. The LNK files used popular methods to download and execute the malware from an infected device

The report by Sekoia noted that the malware uses a code that is highly sophisticated and very broad. This has raised more questions than answers about the nature of the threat the malware poses. It means that the malware developers have room to increase their capabilities to infect more devices and circumvent security software. Microsoft researchers have warned that the malware could still be in its early phase of development, despite it being highly effective at the moment. Again, the threat actors have not started deploying it to the intended targets, which is another indication that it may still be upgraded in the future.

Although research about the malware is ongoing, Microsoft has indicated that the malware is potent enough to infect several types of devices through Windows networks. As a result, the tech giant’s security team has warned users to always keep their systems updated to enable them to kick out the malware. This will prevent any breach of their systems or networks.

Summary
Hundreds of Windows Networks Affected By “Raspberry Robin” Malware - Microsoft
Article Name
Hundreds of Windows Networks Affected By “Raspberry Robin” Malware - Microsoft
Description
Microsoft reported that malware dubbed “Raspberry Robin” has infected hundreds of Windows networks across several sectors. Although threats posed by ransomware are more common in cyberspace, malware and worms can be very disruptive and damaging to their targets.
Author
Publisher Name
Koddos
Publisher Logo

Share this:

Related Stories:

Aug 30, 2023
Stolen Data Threat: Rhysida Ransomware Gang Targets Prospect Medical Holdings
Aug 22, 2023
High-Severity WinRAR Flaw Allows Hackers To Assume Control Over PCs
Koddos

Newsletter

Get the latest stories straight
into your inbox!

Popular Articles

Aug 30, 2023
Stolen Data Threat: Rhysida Ransomware Gang Targets Prospect Medical Holdings
Aug 29, 2023
Compromised routers allowed online criminals to target Pentagon contract site
Aug 28, 2023
1.2 million customers of Mom’s Meals were affected after the recent data breach
Aug 28, 2023
How VPNs Can Defend Against the Threat of Hacking
Aug 23, 2023
Terra Developers Shut Down Website Amid A Phishing Campaign

YOUTUBE

Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading