The battle between good and evil is a constant one when it comes to the cybersecurity space. We regularly hear about new exploits being leveraged by malicious actors as well as the defenses that are being built against them on a reactive and proactive basis. Now, Microsoft has issued private advisories about a high-risk worm that is infecting hundreds of Windows enterprise networks.
Dubbed "Raspberry Robin", the malware is spread via infected USB devices containing a .LNK file. As soon as a user clicks on this file, the worm creates an msiexec.exe process through Command Prompt and launches another malicious file. Then, it communicates with command and control servers with a short URL. If the connection is successful, it downloads and installs a bunch of other malicious DLLs, which then attempt to communicate with TOR nodes.
It is important to note that Raspberry Robin is not a new piece of malware. It was first spotted by multiple security experts in 2021 and Microsoft even saw evidence of it being used back in 2019.
According to Bleeping Computer, Microsoft is now privately informing Defender for Endpoint subscribers about the dangers posed by Raspberry Robin. It has also noted that it has discovered the worm in hundreds of Windows networks across multiple sectors.
That said, it is very interesting to know that while infected machines are communicating with the Tor network, the threat actors behind Raspberry Robin are yet to leverage the exploit to gain access to sensitive information or deploy ransomware. They can easily do this considering that the initial payloads they downloaded can be used to bypass User Account Control (UAC) by misusing Windows utilities. As such, it is currently unknown which threat group is utilizing Raspberry Robin and what their ultimate goal is. However, given the possibility of escalation of this threat as well as the fact that it is spreading rather quickly, Microsoft has labeled it as a high-risk campaign for the time being.
Source: Bleeping Computer