InfoGuard Cyber Security and Cyber Defence Blog

[Alert] InfoGuard CSIRT issues a warning about infected flash drives

Geschrieben von Stephan Berger | 16 Dez 2022

“Back to the Future”: In recent weeks, the InfoGuard Cyber Defence Center working with the Incident Response Team has been investigating several critical cases of infection caused by infected flash drives. Although USB malware or USB worms have been known about for years and some mitigation has taken place by switching off the AutoPlay functionality, cyber criminals have once again found ways to get users to run malicious code on flash drives.

One malware family in particular stands out from the flash drive malware family: the malware dubbed “Raspberry Robin” by the American cyber security firm Red Canary. Raspberry Robin was first introduced in a blog post by Red Canary in May 2022, and within a six month period has evolved from a classic USB worm to becoming a serious threat to corporate networks.(1)

A foot in the door

The initial infection takes place via shortcut files on the flash drive (.LNK files), which are clicked on by unwitting users. Once they double-click the shortcut(s), a malicious MSI package is downloaded from the Internet by the legitimate Microsoft “msiexec” programme and installed on the host, leading to the computer being compromised.

Persistence is set up as part of the infection chain, i.e. the malicious code is restarted even after the computer is rebooted. Subsequently, the infected computer makes intermittent queries to command & control servers to fetch new commands and potentially execute further code on the computer.

Level up

Following the initial infection, under certain circumstances further code can be loaded. The InfoGuard Cyber Defence Center has discovered various cases where a malicious DLL was executed on the infected systems. According to Microsoft's detailed analysis, this DLL is responsible for creating further shortcuts on the plugged-in flash drives, which enables the worm to spread further and possibly infect other computers in a company network. (2)

However, the attackers can load any additional code via the vectors that are already installed on the infected host. In the cases investigated by InfoGuard, there was an attempt to download the familiar “Agent Tesla” trojan, which would enable an attacker to carry out a detailed, targeted attack on the internal network by operating the infected computer.

The reloading of arbitrary code that ultimately leads to a “hands-on” attack – i.e., an orchestrated attack conducted by a human - leads to the suspicion that the masterminds behind Raspberry Robin are selling their initial network access on to to other random groups. It is precisely this reloading of further code that is a high-risk action, one that could quickly lead to the network being completely compromised.

InfoGuard CSIRT recommendations

  • Endpoint detection & response solutions, which are used by the InfoGuard Cyber Defence Center to protect hundreds of networks, are able to detect and potentially even prevent different steps in the Raspberry Robin infection chain.
  • Employees should be informed and given training so that they know that only company-owned flash drives are to be used. The use of private flash drives is prohibited to avoid bringing already infected flash drives into the company network.
  • Anti-virus alerts that arise in relation to a flash drive should be analysed as a high priority, despite the fact that USB worms in particular have been known for years, and a certain “alert fatigue” may have developed.
  • Companies should check whether the AutoPlay feature, which is responsible for automatically starting files after flash drives are plugged in, really is deactivated.(3)(4)

If required, InfoGuard specialists can carry out a targeted hunt for Raspberry Robin. Contact us to discuss the next steps to be taken. 

 

1) https://redcanary.com/blog/raspberry-robin/

2) https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

3) https://learn.microsoft.com/en-gb/windows/win32/shell/autoplay-reg#using-the-registry-to-disable-autorun

4) https://www.stigviewer.com/stig/windows_server_2016/2019-07-09/finding/V-73547