Executive Summary

Raspberry Robin is the name given to a worm that is being used to infect Windows devices through removable USB drives. The worm disguises itself as a legitimate folder within the drive, when in fact it contains a malicious shortcut (LNK) file. When opened, it launches privileged processes, bypassing user account control to install itself on the device, and connect to a command and control server. This could then allow for lateral movement on the device or network.

What’s the risk to me or my business?

The worm appears to look legitimate and can bypasses some basic security controls on a device. This could cause an unaware user to infect a system, believing that the file is legitimate. This worm is now being seen more prominently in the wild across multiple organisations.

What can I do?

Work with your MSP to ensure that endpoint protection is enabled on user devices, and that it is scanning removable drives on insertion. Policies should be put into place to prevent software launching from a removable drive. Training should be supplied to users to ensure that they do not plug untrusted USB drives into corporate computers.

Technical Summary

Red Canary originally identified and named the worm, which makes use of legitimate processes built into Windows in order to establish persistence on the end user device and make contact with command and control (C2) infrastructure. These processes include CMD and msiexec.exe (Windows Installer). Additional malware is then downloaded via msiexc.exe, of which include regsvr32.exe, rundll32.exe and dllhost.exe to repeatedly attempt to connect to command and control, often via TOR nodes.

Further details can be found here: Raspberry Robin gets the worm early (redcanary.com)

Need help understanding your gaps, or just want some advice? Get in touch with us.