Posted on July 7, 2022 at 3:27 AM
Tech giant Microsoft reported that malware dubbed “Raspberry Robin” has infected hundreds of Windows networks across several sectors. Although threats posed by ransomware are more common in cyberspace, malware and worms can be very disruptive and damaging to their targets.
While the attack has been identified, there is no information about the threat group responsible for the attack or their reasons behind the attack. According to the report, the malware compromises the system via infected USB devices. It was first discovered last September by the Red Canary intelligence analysts.
According to cybersecurity firm Sekoia, the malware was observed utilizing QNAP NAS devices as its command and control servers (C2) in November last year. Microsoft added that some malicious artifacts connected to the worm were discovered in 2019, but there was no link between the artifacts and the worm at the time.
The findings of the Red Canary Detection Engineering team collaborate with the findings of Redmond. Both parties detected the malware on the networks of several customers, some of them in the manufacturing and technology sectors.
The Hackers Have Not Accessed The Exploit
Microsoft said the worm connects to addresses on the Tor network. However, the hackers have not been able to exploit the access exploit they gained in the breach yet. The evidence shows that they have made progress in accessing the network since the malware is capable of bypassing User Account Control (UAC) on infected systems via legitimate Windows tools.
Microsoft provided the details of its discovery in a threat intelligence advisory and specifically mentioned that the infected USB drives used to spread the malware contained a malicious.LINK file.
After the user attaches the USB device and clicks the link, the malware begins a msiexec process using cmd.exe to launch the malware-infested file stored on the drive. From there, it can infect new Windows devices and connects with the C2 servers. It then uses different legitimate Windows utilities to execute malicious payloads.
These windows utilities include odbcconf, msiexec, and fodhelper. The first one is a tool used to configure ODBC drivers while the msiexec tool is a command-line Windows Installer component. On the other hand, the fodhelper is a legitimate binary that is used to manage features in Windows settings.
The Malware Is Not Linked To Any Threat Group
Red Canary researchers noted that msiexec.exe is used for downloading and executing legitimate installer packages while adversaries can take advantage of the tool to deliver malware.
Additionally, msiexec is used by the malware to ensure external network communication with a malicious domain to align with the C2 servers. It helps to keep communication between the malware properties and the central control servers active.
The security researchers that discovered the malware in the wild have not linked it to any threat group. But Microsoft has already called the campaign high-risk since the threat actors are capable of downloading and deploying additional malware with the targets’ networks. The attackers have the ability and access to increasing their privileges within the network, which makes it very dangerous, according to the tech giant.
The Malware Uses LNK Files
The researchers also stated that the worm utilizes LNK files and takes the icons of removable devices to spread the malware. Apart from through USB devices, the malware can be distributed via network shares as well. The LNK files used popular methods to download and execute the malware from an infected device
The report by Sekoia noted that the malware uses a code that is highly sophisticated and very broad. This has raised more questions than answers about the nature of the threat the malware poses. It means that the malware developers have room to increase their capabilities to infect more devices and circumvent security software. Microsoft researchers have warned that the malware could still be in its early phase of development, despite it being highly effective at the moment. Again, the threat actors have not started deploying it to the intended targets, which is another indication that it may still be upgraded in the future.
Although research about the malware is ongoing, Microsoft has indicated that the malware is potent enough to infect several types of devices through Windows networks. As a result, the tech giant’s security team has warned users to always keep their systems updated to enable them to kick out the malware. This will prevent any breach of their systems or networks.