A new malware worm called Raspberry Robin was reported by security researchers. The malware was first discovered in September 2021 and typically entered networks via infected portable media like USB devices. The worm is believed to begin as a low-profile threat but soon becomes a path to install additional malware to the victim’s devices using a USB device.
According to a report shared by Microsoft Security on October 27, 2022, the worm serves as a launchpad for a more dangerous threat that targets files, databases, and servers. As for the worm itself, Microsoft issued a warning about its attack method, which includes installing malicious payload. The company sent notifications to the compromised systems. As per Microsoft, the notification was sent to over 1,000 organizations’ machines in the past 30 days.
Raspberry Robin worm: How does it work?
According to the report, the Raspberry Robin worm uses a shortcut.ink file to trick users into thinking that it is an authentic folder. However, Recovery.lnk was originally the name of the lnk file; afterwards, it took on the file names according to the device in use.
The report suggests that the worm can use multiple attack types and protocols. For starters, it can use social engineering to encourage people to click the link and auto-run to complete its task without human input.
Another thing that is worth noting is that the Raspberry Robin worm uses the LNK file that links directly to the cmd.exe. It uses a physical storage server called NAS, which links to a computer network that stores data. This enables the worm to run the Windows Installer service msiexec.exe and install a malicious payload on the victim’s devices.
Since this data is shared by computers connected with the server, the worm uses them as an external hard drive that can be accessed via an intranet or the internet. QNAP devices have several vulnerabilities for which patches are available. However, regrettably many of them go unpatched.
According to Microsoft, the USB disk autorun function is disabled by default in Windows operating systems. However, despite the default settings, numerous businesses have turned it on via the company policy.
