Rewterz Threat Alert – The Raspberry Robin Worm Infected Hundreds Of Windows Networks – Active IOCs

Severity

High

Analysis Summary

Raspberry Robin is a new Windows virus found by researchers having worm-like capabilities that spreads via removable USB devices. Raspberry Robin makes use of Windows Installer to connect to QNAP-related domains and download a malicious DLL. TOR exit nodes are used as a backup C2 infrastructure by this malware.
Raspberry Robin was first discovered in September 2021. This malware is observed targeting companies in the technology and manufacturing industries. The Raspberry Robin worm appears as a shortcut .lnk file masquerading as a legitimate folder on the infected USB device.
The UserAssist registry item is updated shortly after the Raspberry Robin infected disc is attached to the system, and when decoded, it records the execution of a ROT13-ciphered value referencing a.lnk file. For example q:\erpbirel.yax deciphers to d:\recovery.lnk.
Raspberry Robin reads and executes a file from the infected external drive using cmd.exe and it utilizes msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file. After that msiexec.exe runs fodhelper.exe, a Windows utility, which runs rundll32.exe to run a malicious operation. Fodhelper.exe processes run with elevated administrator rights without necessitating a User Account Control prompt, according to experts.

Microsoft has now confirmed that the threat was detected on the networks of many customers, including technology and manufacturing organizations. According to researchers, Microsoft issued a private threat intelligence advisory to Microsoft Defender for Endpoint subscribers. They labeled this campaign as high-risk as they believe that the Raspberry Robin poses a significant threat to organizations because threat actors might use it as an entry point into target networks and to deliver further malicious payloads.

Impact

• Exposure of Sensitive Data
• Unauthorized Access

Indicators of Compromise

IP

• 185[.]55[.]243[.]109
• 47[.]62[.]80[.]170
• 77[.]28[.]22[.]149

MD5

• 5726f55d2840f5cd6ceeb6cb921af9f9
• 332abd607cd5e0d27353c1517e2ecc5a
• f01820e73d9063a67d3f1152e0a0779e
• a41c3eca155099c70e4bc66751821fd0
• 573dd24454fc8c16a471a5dd269337b5
• 3ed02c61e8ef8534ffa58de9d088e536
• 3f8145034eb71a0c8d162ef79e2454b6
• 08bce311963389334fe83864c627cb56

SHA-256

• 01d13023055420ee95f79cafeee9e78f1579de3cbaab4a29227d28b16421be65
• 0d25743cdd5bb3b64ba87821caabc2c2990edff5d09c5a259917436fb995154c
• 135fe46f7c47c8ced7c0c8c795d466f9818d2a91a0b03ffa69d8480e44f62d00
• 17774e944d6f5aeb5eff8c5ac4a231ecb8dd090aa95e83b88ced2714c8a7faa1
• 18715157f3a7fa097c6b9ca909b3e59aec50ce241ac8e16441c2fbb0dcc559c7
• 1e56f8c3d6fe32fb3487a9fa4e683cf5f5d9c049cb47247a36b2a049248167d8
• 1eb48fce25c89f9a7e90ef0dfd395b5fdd9535765a647599b0e0fd7dfde48b02
• 23b808a462f1f4172cbb6a77dbbdf257f6abb4cbef652c651bc204af0b2e6b14

SHA-1

• 4e27d2c4e36cb911c053adb0643b470e790e2b38
• bd8f71d8525c5bd85fecac5c25dbcdb7de019cb8
• c1dee6ed4043eaa9258f242bfaf3fe2f6db2a833
• d7c004300c3792ade812ca28020d2d318b63671b
• c677138b5d6926ed13c13487d55da31c65e65e02
• c618ca5673a3570f40e9ecfcc7d4cc717d9598d8
• 73e2999dc9d0eb87c1e174f32933449bf49c9e27
• f3ff9db211358a5b856e2cd9e97359dac6cfa2f9

SHA-256

• http[:]//3h[.]wf[:]8080/ZgMaAJK3xTC/LP079LLP=52284
• https[:]//1j[.]pm/
• http[:]//wak[.]rocks/gma0llrwn55/desktop-2jbtpel
• http[:]//j68[.]info/50onbhm6p10/desktop-fj8l46a=user
• http[:]//jzm[.]pw/kfg2kv6cw3g/samantha-pc=samantha
• https[:]//p3[.]ms/https[:]/j68[.]info/
• http[:]//u0[.]pm/lxq9ogyburj/user-pc

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct
• configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are
• not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with
• rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize
• patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the
• organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the
• deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a
• multi-layered protection is necessary to secure vulnerable assets