Researchers warn of Raspberry Robin’s Worm targeting Windows users


Cybersecurity researchers draw attention to an ongoing wave of attacks linked to a threat cluster tracked as Raspberry Robin that is behind a Windows malware with worm-like capabilities.

Cybereason describes it as a “persistent” and “spreading” threat said it observed a number of victims in Europe.

The infections involve a worm that spreads on removable USB devices containing a malicious .LNK file and uses compromised QNAP Network-Attached Storage (NAS) devices for command-and-control. It was first documented by Red Canary researchers in May 2022.

also codename QNAP Worm by Sekoia, the malware uses a legitimate Windows installer binary called “msiexec.exe” to download and run a malicious shared library (DLL) from a compromised QNAP NAS device.

“To make it harder to detect, Raspberry Robin uses process injections into three legitimate Windows system processes,” Cybereason researcher Loïc Castel said in a technical paper, adding that “communicates with the rest of [the] infrastructure through TOR exit nodes.”

Persistence on the compromised machine is achieved by making changes to the Windows registry to load the malicious payload via the Windows binary “rundll32.exe” in the boot phase.

The campaign, believed to date back to September 2021, has remained a mystery so far, with no clues as to the threat actor’s origins or end goals.

The disclosure comes as QNAP said it is actively investigating a new wave of Checkmate ransomware infections targeting its devices, making it the latest in a series of attacks after AgeLockereCh0raix and DeadBolt.

Preliminary research indicates that Checkmate attacks via SME services exposed to the Internet, and uses a dictionary attack to crack accounts with weak passwords,” the company said noted in an opinion.

“Once the attacker successfully logs into a device, they encrypt data in shared folders and leave a ransom note with the file name “!CHECKMATE_DECRYPTION_README” in each folder.”

As a precaution, the Taiwanese company advises customers not to expose SMB services to the Internet, improve password strength, perform regular backups and update the QNAP operating system to the latest version.