Raspberry Robin Worm infecting hundreds of Windows networks - Detection Sigma Rules

Written by Aarush Ahuja
Co-founder @ FourCore
Raspberry Robin Compromised Hundred's Of Networks

In a private threat intelligence advisory, Microsoft shared that the Raspberry Robin worm has compromised the networks of hundreds of organizations. The worm, which spreads via USB devices was first discovered by Red Canary in September 2021. The worm uses compromised QNAP NAS devices as command and control servers to serve malicious payloads and exfiltrate information.

What is Raspberry Robin worm?

Raspberry Robin Worm Infection Timeline

The original report by Red Canary provides a detailed analysis of how Raspberry Robin spreads from USB devices, persists on user systems and hides it activity by abusing legitimate Windows binaries called LOLBins. We had also covered one such LOLBin, mavinject.exe recently.

Raspberry Robin gains initial access to a target via a malicious .lnk file present on a USB devices. cmd.exe /R executes the .lnk, which in turn uses msiexec.exe to download a malicious DLL from a remote URL (compromised QNAP NAS devices). msiexec.exe execution then spawns fodhelper.exe for privilege escalation and UAC Bypass launching an administrative cmd.exe shell. This shell is used to spawn rundll32.exe finally executes the malicious DLL via a LOLBin odbcconf.exe. After execution of the DLL, rundll32.exe constantly generates outbound traffic to TOR nodes for command and control.

Abusing Legitimate Binaries in Raspberry Robin campaign

Raspberry Robin campaigns utilize legitimate binaries for malicious purposes (LOLBins).

  • fodhelper.exe - UAC Bypass and Execution.
  • msiexec.exe - Downloading malicious DLL.
  • odbcconf.exe - Launching malicious DLL.

Detect and Prevent Raspberry Robin

Florian Roth, the author of Sigma, posted a variety of sigma rules on twitter that are useful for detecting the techniques used by Raspberry Robin worm. You can find these rules here:

You can also read our previous posts on how to utilize Sigma rules and make them work for your use case and security controls.

Simulating Raspberry Robin Worm

The Red Canary team has been up to the task and added several simulations to their open-source attack simulation project Atomic Red Team. These simulations cover the malicious usage of LOLBins employed by the Raspberry Robin malware.

At FourCore, we have built various simulations to validate detection rules as well behavioural detection capabilities of Security Controls to prevent Raspberry Robin infection. You can find simulations for Privilege Escalation via fodhelper.exe, simulating network traffic and exfiltration from rundll32.exe, malicious .lnk payloads, and more.

.lnk Stager Simulations
Simulate malicious .lnk payloads
fodhelper UAC Bypass Simulations
Simulate fodhelper UAC Bypass

Our own open-source attack simulation harness, firedrill offers a simulation for privilege escalation and UAC Bypass using fodhelper.exe, which would be helpful to validate your detections.