Wormable Malware Zeroes in on Windows Installer
Table of Contents
- By Steven
- May 10, 2022
A new form of malware that functions with USBs is targeting Windows installers. The wormable threat is sometimes referred to as Raspberry Robbin.
What Do We Know About the Wormable Malware?
The wormable malware relies on the Microsoft Standard Installer to wreak havoc. However, it is also possible for Raspberry Robin to use other processes to transmit the malware and relay information back to the hackers. To be more specific, the malware uses USBs to transmit harmful files. The worm also transmits DLL files through the USB. DLL is an acronym referring to a dynamic link library.
The USB devices used in the attack are infected vessels that transmit the wormable malware by way of the LNK file shortcut. However, this file looks perfectly harmless when viewed within a seemingly innocent folder on the USB device. LNK files function as operating system shortcuts that are employed when a computer operator opens a separate application, folder, or file. The wormable malware then updates the target's UserAssist within the registry after connecting the compromised drive to the overarching system. The malware is executed when the cmd.exe extension is used to read through files stored within the compromised external drive.
The attack also includes a secondary execution in the form of msi.exec.exe to allow for communication to take place along the external network. This secondary execution transmits harmful DLL files though the purpose of this action has not been identified. It is also worth noting the msi.exec.exe extension is used to trigger the fodhelper.exe Windows utility that triggers rundll32.exe, setting the stage for the execution of a harmful command.
When Did the Malware Debut?
Raspberry Robin malware first struck this past September when it compromised a Windows machine through a USB drive. Digital security specialists with Red Canary Intelligence initiated tracking the activity later that fall after finding similar attacks in other computing environments. The details of that tracking were highlighted by Jason Killiam, an engineer with Red Canary.
According to Killiam, the Raspberry Robin worm moves into the target machine through a USB drive, using a msiexec.exe file to compromise the target's infrastructure through HTTP requests and other means. Killiam and his fellow digital security specialists at Red Canary also noted that the attack relies on TOR-style exit notes for command-and-control purposes. Though the attacks commenced in September of this past year, most of the activity was observed at the start of 2022.
Can Raspberry Robin Be Stopped?
The digital security professionals at Red Canary are unsure how to stop Raspberry Robin from wreaking havoc. Nor are those digital security experts completely certain how or if the wormable malware is compromising external drives to cause additional harm. The infection takes place offline, so it is much more difficult to study. Furthermore, Red Canary's team is uncertain why the wormable malware transmits harmful DLL though it might be done to create persistence throughout the compromised system.
Who is Responsible for the New Malware?
Red Canary's team is unsure of the hackers' identity responsible for Raspberry Robin. Nor is the digital security company's brass certain of the overarching aim of the hacking campaign.