Researchers Warn of Raspberry Robin’s Worm Targeting Windows Users

by admin 0 Comments

News
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Cybersecurity researchers are drawing attention to an ongoing wave of attacks linked to a threat cluster tracked as Raspberry Robin that’s behind a Windows malware with worm-like capabilities.

Describing it as a “persistent” and “spreading” threat, Cybereason said it observed a number of victims in Europe.

The infections involve a worm that propagates over removable USB devices containing malicious a .LNK file and leverages compromised QNAP network-attached storage (NAS) devices for command-and-control. It was first documented by researchers from Red Canary in May 2022.

Also codenamed QNAP worm by Sekoia, the malware leverages a legitimate Windows installer binary called “msiexec.exe” to download and execute a malicious shared library (DLL) from a compromised QNAP NAS appliance.

“To make it harder to detect, Raspberry Robin leverages process injections in three legitimate Windows system processes,” Cybereason researcher Loïc Castel said in a technical write-up, adding it “communicates with the rest of [the] infrastructure through TOR exit nodes.”

Persistence on the compromised machine is achieved by making Windows Registry modifications to load the malicious payload through the Windows binary “rundll32.exe” at the startup phase.

The campaign, which is believed to date back to September 2021, has remained something of a mystery so far, with no clues as to the threat actor’s origin or its end goals.

The disclosure comes as QNAP said it’s actively investigating a new wave of Checkmate ransomware infections targeting its devices, making it the latest in a series of attacks after AgeLocker, eCh0raix, and DeadBolt.

CyberSecurity

“Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords,” the company noted in an advisory.

“Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name “!CHECKMATE_DECRYPTION_README” in each folder.”

As precautions, the Taiwanese company recommends customers to not expose SMB services to the internet, improve password strength, take regular backups, and update the QNAP operating system to the latest version.

This article was originally published by Thehackernews.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt
U.S. Treasury Hamas Spokesperson for Cyber Influence Operations
Data Breach Exposes 300k Taxi Passengers’ Information
Linux Cerber Ransomware Variant Exploits Atlassian Servers
Russia and Ukraine Top Inaugural World Cybercrime Index

Leave a Reply

Your email address will not be published. Required fields are marked *