Recently, Microsoft sent to subscribers of its Microsoft Defender for Endpoint product a private threat intelligence advisory. According to the advisory, the company found a Windows worm in the networks of hundreds of organizations including those in the technology and manufacturing sectors.

Allegedly created in 2019 and first spotted in September 2021, Raspberry Robin worm spreads via infected USB devices in a form of .LNK file. As per Microsoft, the malware was connecting to addresses on the Tor network, but the threat actors haven’t exploited the access to their victims' networks yet.

The Raspberry Robin’s origin and the intentions of its operators are still unknown. Nevertheless, the threat actors could easily escalate their attacks because the worm is able to bypass User Account Control (UAC) on infected machines using legitimate Windows utilities (fodhelper, msiexec, and odbcconf). Using Raspberry Robin, they can get an initial access to the target network and escalate their privileges to deploy ransomware, steal information, launch DDoS-attacks, etc.

When the user connects the infected USB device to the computer and clicks the link, the worm initiates a msiexec process. Then msiexec.exe launches fodhelper.exe, the utility for managing features in Windows settings, which in turn executes a malicious command using rundll32.exe.