Ongoing Raspberry Robin campaign leverages compromised QNAP devices

Cybereason researchers are warning of a wave of attacks spreading the wormable Windows malware Raspberry Robin.

Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable USB devices.

The malicious code uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure.

The malware was first spotted in September 2021, the experts observed Raspberry Robin targeting organizations in the technology and manufacturing industries. Initial access is typically through infected removable drives, often USB devices.

“Raspberry Robin is typically introduced via infected removable drives, often USB devices. The Raspberry Robin worm often appears as a shortcut .lnk file masquerading as a legitimate folder on the infected USB device.” continues the analysis. “Soon after the Raspberry Robin infected drive is connected to the system, the UserAssist registry entry is updated and records execution of a ROT13-ciphered value referencing a .lnk file when deciphered. In the example below, q:\erpbirel.yax deciphers to d:\recovery.lnk.”

The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.

Then msiexec.exe launches a legitimate Windows utility, fodhelper.exe, which in turn run rundll32.exe to execute a malicious command. Experts pointed out that processes launched by fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt.

According to the researchers, looking for fodhelper.exe as a parent process it is possible to detect the threat.

Last week, Microsoft confirmed that the threat was discovered on the networks of multiple customers, including organizations in the technology and manufacturing sectors.

Now Cybereason researchers reported multiple infections in Europe, the experts investigated a series of recent infections also associated with the name “LNK Worm.”

The attacks monitored by the researchers are leveraging compromised QNAP (Network Attached Storage or NAS) devices as C2.

Below is the infection chain associated with the ongoing Raspberry Robin campaign observed by Cybereason.

The GSOC team summarizes a Raspberry Robin infection as follows :

The Raspberry Robin-related infections start from two files present in the same directory hosted on an external device or shared drive:
- a “LNK” file that contains a Windows shell command
- another file that acts as a “BAT” file, filled with padding data and two specific commands
Raspberry Robin leverages the LOLBin called “msiexec.exe” to download and execute a malicious shared library (DLL) from a compromised NAS device from the vendor “QNAP”.
To make it harder to detect, Raspberry Robin:
- leverages process injections in three legitimate Windows system processes
- communicates with the rest of Raspberry Robin’s infrastructure through Tor (The Onion Router) Exit nodes
To persist on the infected system, Raspberry Robin uses a registry key to automatically load a malicious module through the Windows binary “rundll32.exe”, at the machine startup.

The malware maintains persistence on the compromised machine through the Windows Registry, it loads the “rundll32.exe” at the startup.

The campaign monitored by Cybereason dates back to September 2021, at this time the company has yet to attribute it to a specific threat actor and its goal is still a mystery.

Below are the recommendations provided by Cybereason:

Block outgoing connections (outside of the organization) to TOR-related addresses, as Raspberry Robin actively communicates with TOR exit nodes.
As Raspberry Robin displays persistence mechanisms and establishes many masquerading actions on the infected system, re-image infected devices.
Threat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom hunting queries for detecting specific threats – to find out more about threat hunting and Managed Detection and Response with the Cybereason Defense Platform, contact a Cybereason Defender here.
- For Cybereason customers: More details available on the NEST including custom threat hunting queries for detecting this threat:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.