QNAP NAS devices targeted by Raspberry Robin worm

Vulnerable QNAP network-attached storage devices are being exploited by the Raspberry Robin Windows worm to further spread to other systems, according to SecurityWeek. File archives, ISO files, and USB drives are being leveraged to spread Raspberry Robin, which has an infection process beginning with a BAT file and an LNK shortcut with a Windows shell command, which facilitates malicious DLL retrieval from attacked QNAP NAS devices, a report from Cybereason revealed. Windows system processes dllhost.exe, regsvr32.exe, and rundll32.exe are then injected by the malware itself, with the malware establishing persistence through a registry key that the rundll32.exe process is injected with the same DLL from the external resource. "As the malicious module is the same one as during the initial infection process, it displays the same malicious activities involving process injection and communication with Tor exit nodes," said researchers. The report also showed that nearly 75% of Raspberry Robin victims had the downloaded malicious module with an "OmniContact" signature.