When you are investigating a crime, one of the most important things to establish is “motive.” If you know a crime has been committed, having an understanding of why it happened is a critical step to figuring out who did it.
In the strictest sense, installing software on someone else’s computer isn’t a crime. It’s not until it becomes malicious software—”malware“—that it’s a problem, and it doesn’t become malware until it does something troublesome, like encrypting user files, opening security backdoors, or crashing the system altogether.
Threat intelligence group Red Canary is tracking a worm that it calls Raspberry Robin, and it’s definitely malware, but the question of “why” is still, in fact, a big question. Red Canary has found the worm in multiple of its customers’ environments starting back in September 2021, though it says most of the activity from the threat has occurred since January of this year.
In the age of the Internet, most malware spreads through the web, and Raspberry Robin does indeed make use of the internet to download critical files, however, it actually seems to spread via infected USB drives. Using Windows’ autoplay functionality, it executes a .LNK file, which is a link shortcut. From there, it starts the Windows command interpreter and uses the Microsoft Installer, msiexec.exe, to download a malicious DLL that it then installs to the system. The purpose of this isn’t entirely clear yet, but it seems to be for persistence.
After that, the system makes numerous attempts to connect to remote hosts, usually TOR exit nodes. The thing is, it’s not actually clear what it is doing or why, and furthermore, Red Canary doesn’t don’t know who is infecting the systems where Raspberry Robin is found. Said systems include machines inside the networks of various manufacturing and technology companies.
Red Canary is inviting anyone with information on this malware, including its late-stage activity, to contact them and assist with the investigation. If you’d like to investigate your own systems to make sure you’re not infected, you can hit up their blog post, which goes over the symptoms and signs of infection.