Red Canary analysts have disclosed a cluster of malware activity that uses a worm spread via external USB drives. The malware employs the “QNAP worm,” which cyber-intelligence firm Sekoia described back in November 2021. However, Red Canary detected it in some of its technology and manufacturing customers’ networks and tracked it since September under the codename Raspberry Robin. Raspberry Robin spreads when users connect an infected USB drive to their computer. The worm, disguised as an LNK file, then uses Windows cmd.exe to launch a malicious file. It then uses Microsoft Standard Installer (msiexec.exe) to connect to command-and-control (C2) servers — usually vulnerable QNAP devices. It then uses TOR exit nodes to cover its tracks.
Red Canary suspects that Raspberry Robin establishes persistence by installing a malicious DLL file from the C2 servers. The malware then launches the DLL using two utilities included in Windows: fodhelper (a Windows setting manager) and obdcconf (an ODBC driver configuration tool). The former bypasses User Account Control, and the latter executes and configures the DLL. However, the researchers admit this is just a working hypothesis. They don’t precisely know what the DLLs do, nor have they figured out how it spreads to USB drives. “First and foremost, we don’t know how or where Raspberry Robin infects external drives to perpetuate its activity, though it’s likely this occurs offline or otherwise outside of our visibility,” said Red Canary. “We also don’t know why Raspberry Robin installs a malicious DLL.” It is also unclear what the QNAP worm’s ultimate purpose is. Other than how it works, the researchers have not seen any “late-stage activity” that would benefit the operators. Image credit: Red Canary