Microsoft finds Raspberry Robin worm in hundreds of Windows networks

Red bird


Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors.


The malware, dubbed Raspberry Robin, spreads via infected USB devices, and it was first spotted in September 2021 by Red Canary intelligence analysts.


Cybersecurity firm Sekoia also observed it using QNAP NAS devices as command and control servers (C2) servers in early November [PDF], while Microsoft said it found malicious artifacts linked to this worm created in 2019.


Redmond's findings align with those of the Red Canary's Detection Engineering team, which also detected this worm on the networks of multiple customers, some of them in the technology and manufacturing sectors.


Although Microsoft observed the malware connecting to addresses on the Tor network, the threat actors are yet to exploit the access they gained to their victims' networks.


This is in spite of the fact that they could easily escalate their attacks given that the malware can bypass User Account Control (UAC) on infected systems using legitimate Windows tools.


Microsoft shared this info in a private threat intelligence advisory sent to Microsoft Defender for Endpoint subscribers and seen by BleepingComputer.



Raspberry Robin worm infection flowRaspberry Robin worm infection flow (Red Canary)

Abuses Windows legitimate tools to infect new devices


As already mentioned, Raspberry Robin is spreading to new Windows systems via infected USB drives containing a malicious .LNK file.


Once the USB device is attached and the user clicks the link, the worm spawns a msiexec process using cmd.exe to launch a malicious file stored on the infected drive.


It infects new Windows devices, communicates with its command and control servers (C2), and executes malicious payloads using several legitimate Windows utilities:


  • fodhelper (a trusted binary for managing features in Windows settings),

  • msiexec (command line Windows Installer component),

  • and odbcconf (a tool for configuring ODBC drivers).

"While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware," Red Canary researchers explained.


"Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes."


Security researchers who spotted Raspberry Robin in the wild are yet to attribute the malware to a threat group and are still working on finding its operators' end goal.


However, Microsoft has tagged this campaign as high-risk, given that the attackers could download and deploy additional malware within the victims' networks and escalate their privileges at any time.