Security News > 2022 > July > Researchers Warn of Raspberry Robin's Worm Targeting Windows Users

Cybersecurity researchers are drawing attention to an ongoing wave of attacks linked to a threat cluster tracked as Raspberry Robin that's behind a Windows malware with worm-like capabilities.

The infections involve a worm that propagates over removable USB devices containing malicious a.LNK file and leverages compromised QNAP network-attached storage devices for command-and-control.

Also codenamed QNAP worm by Sekoia, the malware leverages a legitimate Windows installer binary called "Msiexec.exe" to download and execute a malicious shared library from a compromised QNAP NAS appliance.

"To make it harder to detect, Raspberry Robin leverages process injections in three legitimate Windows system processes," Cybereason researcher Loïc Castel said in a technical write-up, adding it "Communicates with the rest of [the] infrastructure through TOR exit nodes."

Persistence on the compromised machine is achieved by making Windows Registry modifications to load the malicious payload through the Windows binary "Rundll32.exe" at the startup phase.

The disclosure comes as QNAP said it's actively investigating a new wave of Checkmate ransomware infections targeting its devices, making it the latest in a series of attacks after AgeLocker, eCh0raix, and DeadBolt.

News URL

https://thehackernews.com/2022/07/researchers-warn-of-raspberry-robins.html