A Windows worm has been discovered on the networks of hundreds of organizations from different sectors. The worm, dubbed Raspberry Robin, spreads using USB devices. Microsoft claims to have found malicious artifacts associated with this worm created in 2019.
Researchers from Red Canary first identified Raspberry Robin in September 2021. Another firm observed the worm abusing QNAP NAS devices as C2 servers in early November.
Microsoft’s recent findings align with Red Canary's Detection Engineering team, which detected the worm on networks of various customers in the technology and manufacturing sectors.
Further, Microsoft observed the malware connecting to addresses on the Tor network. The attackers have, however, not yet used the access credentials.
The worm can bypass UAC security on targeted systems with legitimate Windows tools.
Use of legitimate tools
Raspberry Robin communicates with its C2 servers and executes malicious payloads with the use of various legitimate Windows utilities:
One such tool is Fodhelper, which is a trusted binary for managing features in Windows settings.
Msiexec is a command-line Windows Installer component and a tool (odbcconf) for configuring ODBC drivers.
At present, Raspberry Robin is not spotted in the wild and the adversaries are yet to be identified. Nevertheless, the attack could help hackers deploy additional malware within the victims' networks and escalate privileges.