{"id":20517,"date":"2022-10-31T16:10:22","date_gmt":"2022-11-01T00:10:22","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/10\/31\/news-14250\/"},"modified":"2022-10-31T16:10:22","modified_gmt":"2022-11-01T00:10:22","slug":"news-14250","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/10\/31\/news-14250\/","title":{"rendered":"Raspberry Robin worm used as ransomware prelude"},"content":{"rendered":"<p>Raspberry Robin aka <a href=\"https:\/\/www.malwarebytes.com\/blog\/detections\/worm-raspberryrobin\">Worm.RaspberyRobin<\/a> started out as an annoying, yet relatively low-profile threat&nbsp;that was often installed via USB drive. First <a href=\"https:\/\/redcanary.com\/blog\/raspberry-robin\/\" target=\"_blank\">spotted<\/a> in September 2021, it was typically introduced into a network through infected removable drives, often USB devices.<\/p>\n<p>Now the worm has been found to be the foothold for more serious threats like ransomware as laid out in this <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/27\/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity\/\" target=\"_blank\">Microsoft Security blog<\/a>. Microsoft warns that the worm has triggered payload alerts on devices of almost 1,000 organizations in the past 30 days.<\/p>\n<h2>Primary infection<\/h2>\n<p>Initially, the Raspberry Robin worm often appears as a shortcut .lnk file masquerading as a legitimate folder on the infected USB device. The name of the lnk file was <em>recovery.lnk<\/em> which later changed to filenames associated with the brand of the USB device. Raspberry Robin uses both autoruns to launch and social engineering to encourage users to click the LNK file.<\/p>\n<p>Raspberry Robin&rsquo;s LNK file points to <em>cmd.exe<\/em> to launch the Windows Installer service <em>msiexec.exe<\/em> and install a malicious payload hosted on compromised QNAP network attached storage (NAS) devices.<\/p>\n<h2>Infrastructure<\/h2>\n<p>A NAS device is a storage server connected to a computer network, storing data that can be accessed by a wide variety of devices, including Windows, macOS, and other systems. In real life this usually means they are used as an external hard-drive that can be accessed over an intranet or the internet. There are several <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2022\/04\/qnap-customers-urged-to-disable-afp-to-protect-against-severe-vulnerabilities\">vulnerabilities in QNAP devices<\/a> for which patches are available, but unfortunately many of them remain unpatched due to unawareness.<\/p>\n<h2>Backdoor<\/h2>\n<p>To be able to act as a backdoor, malware needs to be active or you need to be able to trigger it remotely. Raspberry Robin gains persistence by adding itself to the RunOnce key in the CurrentUser registry hive of the user who executed the initial malware.<\/p>\n<p>By using <a href=\"https:\/\/www.malwarebytes.com\/glossary\/cc\">command-and-control (C2) servers<\/a> hosted on Tor nodes the Raspberry Robin implant can be used to distribute other malware.<\/p>\n<h2>Guests<\/h2>\n<p>As an established access provider in the current malware-as-a-service landscape you can make money by selling the access to affected networks to other malware operators like ransomware groups. Microsoft found that Raspberry Robin has been used to facilitate <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2022\/06\/makemoney-malvertising-campaign-adds-fake-update-template\">FakeUpdates (SocGholish)<\/a>, Fauppod, <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2019\/12\/new-version-of-icedid-trojan-uses-steganographic-payloads\">IcedID<\/a>, <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2022\/03\/meet-exotic-lily-access-broker-for-ransomware-and-other-malware-peddlers\">Bumblebee<\/a>, TrueBot, <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2022\/09\/lockbit-builder-leaked-by-disgruntled-developer\">LockBit<\/a>, and human-operated intrusions.<\/p>\n<p>Fauppod is heavily obfuscated malweare that is also used to spread FakeUpdates, and writes Raspberry Robin to USB drives. TrueBot Trojans are used in targeted attacks for reconnaissance purposes.<\/p>\n<p>An example of the human-operated intrusions was the deployment of <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2021\/06\/cobalt-strike-a-penetration-testing-tool-popular-among-criminals\">Cobalt Strike<\/a> to deliver the&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2021\/02\/clop-targets-execs-ransomware-tactics-get-another-new-twist\">Clop ransomware<\/a>.<\/p>\n<h2>Stop the worm<\/h2>\n<p>In Windows, the autorun of USB drives is disabled by default. However, many organizations have widely enabled it through legacy Group Policy changes, according to Microsoft. If you enabled it, this is a policy worth re-thinking.<\/p>\n<p>Owners of QNAP devices should be aware of the fact that they are not only putting their own files at risk by not applying the patches, but they are providing malware authors with a free-to-use infrastructure to victimize others.<\/p>\n<hr \/>\n<p><strong>We don&rsquo;t just report on threats&mdash;we remove them<\/strong><\/p>\n<p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by <a href=\"&ldquo;https:\/\/www.malwarebytes.com\/for-home&rdquo;\">downloading Malwarebytes today<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2022\/10\/raspberry-robin-worm-used-as-ransomware-prelude\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding='10'>\n<tr>\n<td valign='top' align='left'>\n<p>Categories: <a href='https:\/\/www.malwarebytes.com\/blog\/category\/news' rel='category tag'>News<\/a><\/p>\n<p>Categories: <a href='https:\/\/www.malwarebytes.com\/blog\/category\/ransomware' rel='category tag'>Ransomware<\/a><\/p>\n<p>Tags: Raspberry Robin<\/p>\n<p>Tags:  FakeUpdates<\/p>\n<p>Tags:  LockBit<\/p>\n<p>Tags:  Clop<\/p>\n<p>Tags:  ransomware<\/p>\n<p>Microsoft warns that the Raspberry Robin worm has triggered payload alerts on devices of almost 1,000 organizations in the past 30 days and is used to introduce ransomware.<\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/www.malwarebytes.com\/blog\/news\/2022\/10\/raspberry-robin-worm-used-as-ransomware-prelude' title='Raspberry Robin worm used as ransomware prelude'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel='nofollow' href='https:\/\/www.malwarebytes.com\/blog\/news\/2022\/10\/raspberry-robin-worm-used-as-ransomware-prelude'>Raspberry Robin worm used as ransomware prelude<\/a> appeared first on <a rel='nofollow' href='https:\/\/www.malwarebytes.com'>Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[25304,18060,24616,32,3765,27881],"class_list":["post-20517","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-clop","tag-fakeupdates","tag-lockbit","tag-news","tag-ransomware","tag-raspberry-robin"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20517","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20517"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20517\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20517"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20517"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20517"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}