4 July 2022

Microsoft found Raspberry Robin worm in networks of hundreds of organizations


Microsoft found Raspberry Robin worm in networks of hundreds of organizations

Recently, Microsoft sent to subscribers of its Microsoft Defender for Endpoint product a private threat intelligence advisory. According to the advisory, the company found a Windows worm in the networks of hundreds of organizations including those in the technology and manufacturing sectors.

Allegedly created in 2019 and first spotted in September 2021, Raspberry Robin worm spreads via infected USB devices in a form of .LNK file. As per Microsoft, the malware was connecting to addresses on the Tor network, but the threat actors haven’t exploited the access to their victims' networks yet.

The Raspberry Robin’s origin and the intentions of its operators are still unknown. Nevertheless, the threat actors could easily escalate their attacks because the worm is able to bypass User Account Control (UAC) on infected machines using legitimate Windows utilities (fodhelper, msiexec, and odbcconf). Using Raspberry Robin, they can get an initial access to the target network and escalate their privileges to deploy ransomware, steal information, launch DDoS-attacks, etc.

When the user connects the infected USB device to the computer and clicks the link, the worm initiates a msiexec process. Then msiexec.exe launches fodhelper.exe, the utility for managing features in Windows settings, which in turn executes a malicious command using rundll32.exe.

Back to the list

Latest Posts

Ransomware gang target UK water supplier but send ransom demand to the wrong company

Ransomware gang target UK water supplier but send ransom demand to the wrong company

The threat actors claimed to have access to water treatment SCADA systems and “these systems which control chemicals in water.”
17 August 2022
Argentina's Judiciary of Cordoba targeted with ransomware

Argentina's Judiciary of Cordoba targeted with ransomware

The incident described as “worst attack on public institutions in history” impacted the agency’s website, digital services and databases.
16 August 2022
Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

The group’s targets include defense and intelligence consulting companies, NGOs, IGOs, and higher education institutions.
16 August 2022