Wormable Malware Zeroes in on Windows Installer

  • By Patrick Ryan
  • May 10, 2022

A new form of malware that functions with USBs is targeting Windows installers. The wormable threat is sometimes referred to as Raspberry Robbin. 

What Do We Know About the Wormable Malware?

The wormable malware relies on the Microsoft Standard Installer to wreak havoc. However, it is also possible for Raspberry Robin to use other processes to transmit the malware and relay information back to the hackers. To be more specific, the malware uses USBs to transmit harmful files. The worm also transmits DLL files through the USB. DLL is an acronym referring to a dynamic link library.

The USB devices used in the attack are infected vessels that transmit the wormable malware by way of the LNK file shortcut. However, this file looks perfectly harmless when viewed within a seemingly innocent folder on the USB device. LNK files function as operating system shortcuts that are employed when a computer operator opens a separate application, folder, or file. The wormable malware then updates the target's UserAssist within the registry after connecting the compromised drive to the overarching system. The malware is executed when the cmd.exe extension is used to read through files stored within the compromised external drive.

The attack also includes a secondary execution in the form of msi.exec.exe to allow for communication to take place along the external network. This secondary execution transmits harmful DLL files though the purpose of this action has not been identified. It is also worth noting the msi.exec.exe extension is used to trigger the fodhelper.exe Windows utility that triggers rundll32.exe, setting the stage for the execution of a harmful command.

When Did the Malware Debut?

Raspberry Robin malware first struck this past September when it compromised a Windows machine through a USB drive.  Digital security specialists with Red Canary Intelligence initiated tracking the activity later that fall after finding similar attacks in other computing environments. The details of that tracking were highlighted by Jason Killiam, an engineer with Red Canary.

According to Killiam, the Raspberry Robin worm moves into the target machine through a USB drive, using a msiexec.exe file to compromise the target's infrastructure through HTTP requests and other means. Killiam and his fellow digital security specialists at Red Canary also noted that the attack relies on TOR-style exit notes for command-and-control purposes. Though the attacks commenced in September of this past year, most of the activity was observed at the start of 2022.

Can Raspberry Robin Be Stopped?

The digital security professionals at Red Canary are unsure how to stop Raspberry Robin from wreaking havoc. Nor are those digital security experts completely certain how or if the wormable malware is compromising external drives to cause additional harm. The infection takes place offline, so it is much more difficult to study. Furthermore, Red Canary's team is uncertain why the wormable malware transmits harmful DLL though it might be done to create persistence throughout the compromised system.

Who is Responsible for the New Malware?

Red Canary's team is unsure of the hackers' identity responsible for Raspberry Robin. Nor is the digital security company's brass certain of the overarching aim of the hacking campaign.

About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “Alien ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% ... Read More

Latest Articles

Fronton Botnet Tracks Online Activity and More

Fronton Botnet Tracks Online Activity and More

A botnet referred to as Fronton tracks activity on the internet and conducts illegal operations. The IoT botnet aims to steal information, disinform, and wreak general havoc on the web.

New Keylogger is Transmitted Through PDFs

New Keylogger is Transmitted Through PDFs

A keylogger is infecting computers through harmful PDF files. The snake keylogger centers on an email campaign that sends PDF files and other files from Microsoft Word programs.

Bug Might Allow Thieves to Steal Money from PayPal Accounts

Bug Might Allow Thieves to Steal Money from PayPal Accounts

The failure to quickly patch a bug might empower online criminals to steal money directly out of the accounts of PayPal users.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Run a Free Identity Scan
Check if your information is compromised
Close