Microsoft has just released an official private intelligence advisory that informs organizations regarding a worm known as the Raspberry Robin threat. The threat has reportedly infected hundreds of different Windows networks.
Raspberry Robin Threat and How It Traveled Through Infected USBs
As reported by BleepingComputer, Raspberry Robin travels through infected USB devices, and this is how it spreads. In order for the threat to spread, it still needs a user to insert a USB device and click on a malicious file.
The file is a .LNK file, and after this, the worm then uses the Windows command in order to prompt in order to be able to launch a msiexec process. After this, it runs a malicious file which is also found on the device.
Command and Control Servers Used Short URLs
According to the story by PC Mag, a connection is then made with both a command and control server by using the short URL. Should this be successful, a number of different DLL malicious files are then downloaded and installed.
The odbcconf.exe is a legitimate Windows utility that is used in order for the DLLs to be executed. The worm then repeatedly tries to connect with different Tor network nodes.
The Real Danger Lies Between How the Creators of the Malware Would Take Advantage of the Infected Windows Network
Some of the "command and control servers" that are reportedly being used are said to be infected QNAP NAS devices. The real danger is that whoever was able to successfully deploy the Raspberry Robin has still to "take advantage of the infected Windows network."
The malware being introduced by the worm is actually capable of bypassing Windows User Account Control (UAC) and has already been able to prove that it can use the utilities available within the operating system.
The Goal of the Raspberry Robin Threat Remains Unknown
Although the goal of the Raspberry Robin remains unknown, the control it holds over the network means that new malware can easily be downloaded and deployed in a very fast manner.
Microsoft has already flagged down the Raspberry Robin, calling it a "high-risk campaign" with good reason. For now, there does not seem to be any other mitigation process spotted aside from plugging the suspicious USB directly into a Windows network.
Read Also: HackerOne Employee Fired After Leaking Security Bug Reports! Here's Why His Action is Illegal
Observations of the Raspberry Robin Threat Started in September 2021
Red Canary, the intelligence analyst, produced a detailed report regarding the worm all the way back in May. The report offered a deeper look at how the worm works.
As per the report, the malware was initially spotted back in September 2021 by the Red Canary intelligence analysts. Sekoia, a cybersecurity firm, was also observing it and used the QNAP NAS devices servers in early November.
Microsoft notes that the malicious artifacts that were linked to the creation of the worm date all the way back to 2019.
Related Article: Chinese Regulators Reveal its Crackdown on Fraudulent Apps for Months as Scammers Mimic Financial Services
This article is owned by Tech Times
Written by Urian B.