Raspberry Robin found using malicious code of Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure.
As reported by Microsoft this worm has infected customers from tech and manufacturing sectors. Based on this, researchers from Cybereason have reported multiple infections in Europe, the experts investigated a series of recent infections also associated with the name “LNK Worm.”
The attacks monitored by the researchers are leveraging compromised QNAP NAS devices as C2.
Below is the infection chain associated with the ongoing Raspberry Robin campaign observed by security researchers as follows.
- The Raspberry Robin-related infections start from two files present in the same directory hosted on an external device or shared drive:
- a “LNK” file that contains a Windows shell command
- another file that acts as a “BAT” file, filled with padding data and two specific commands
- Raspberry Robin leverages the LOLBin called “msiexec.exe” to download and execute a malicious shared library (DLL) from a compromised NAS device from the vendor “QNAP”.
- To make it harder to detect, Raspberry Robin:
- leverages process injections in three legitimate Windows system processes
- communicates with the rest of Raspberry Robin’s infrastructure through Tor Exit nodes
- To persist on the infected system, Raspberry Robin uses a registry key to automatically load a malicious module through the Windows binary “rundll32.exe”, at the machine startup.
The malware maintains persistence on the compromised machine through the Windows Registry, it loads the “rundll32.exe” at the startup.
Recommendations:
- Block outgoing connections to TOR-related addresses, as Raspberry Robin actively communicates with TOR exit nodes.
- As Raspberry Robin displays persistence mechanisms and establishes many masquerading actions on the infected system, re-image infected devices.
