Microsoft Finds 'Raspberry Robin' Worm in Hundreds of Windows Networks

"Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors," reports BleepingComputer.

The "Raspberry Robin" malware (first spotted in September) spreads through USB devices with a malicious .LNK file Although Microsoft observed the malware connecting to addresses on the Tor network, the threat actors are yet to exploit the access they gained to their victims' networks. This is in spite of the fact that they could easily escalate their attacks given that the malware can bypass User Account Control (UAC) on infected systems using legitimate Windows tools. Microsoft shared this info in a private threat intelligence advisory sent to Microsoft Defender for Endpoint subscribers and seen by BleepingComputer....

Once the USB device is attached and the user clicks the link, the worm spawns a msiexec process using cmd .exe to launch a malicious file stored on the infected drive. It infects new Windows devices, communicates with its command and control servers (C2), and executes malicious payloads...

Microsoft has tagged this campaign as high-risk, given that the attackers could download and deploy additional malware within the victims' networks and escalate their privileges at any time.

Autorun

[Pentium100]

How is autorun handled in new Windows versions? Older versions had the genius idea of automatically starting an executable that was on a flash drive with no user interaction and this "feature" survived multiple Windows versions. Did they finally kill it in Win11?

Re:Autorun

[drinkypoo]

The user has to manually launch the shortcut per TFA (they call it a "link" though, sigh... presumably because it's a .lnk file) in order for the initial infection to occur.

Re:

[jmccue]

Yes, I find it interesting that the press shows the user needs to manually do something for this Windows malware to get activated.

But when they report on Linux malware you get "OMG, Linux is bad", hiding the fact the user not only need to run the object locally but needs to have root access. On Linux you need to jump through loops to get the malware installed. A fact the press loves to ignore.

Re:

[drinkypoo]

There have been remote holes in Linux distributions (and assorted, bundled software) and there have been privilege escalation holes, and they have been combined to remotely get root. It's presumably more newsworthy when Linux is being exploited because it happens less often, so I take any imbalance in reporting as a compliment.

Re:

[cbm64]

I find it interesting that people still believe this:

hiding the fact the user not only need to run the object locally but needs to have root access.On Linux you need to jump through loops to get the malware installed.

When there have been so many in-the-wild examples of this not being the case (non-user-intervention vulns, remote execution vulns), and the traditional root access argument being quite dated -- not only do privelege escalation vulnerabilities exist, but a lot of modern malware is happy to live in user space. Not saying the problem isn't worse on Windows, it is, but that is not all you are saying, and that level of complacency is not good for Linux users

Re:

[gillbates]

You Linux Loser think you're actually going to catch up to Windows in virus infections?!

Pfft!

Windows has always been more insecure than Linux and by a wider margin than ever. Microsoft even brought back security holes fixed in prior releases. They even have a new app, VirusHost.exe that will help you install viruses if you can't find them yourself! How could can Linux compete with that!

My Windows box can get infected just by connecting to a network! It's completely automatic. I don't have to sud

That might explain

[ArchieBunker]

The latest bullshit update I had to disable. It seems that binaries not signed by a vendor or the OS are now "locked" and you have to disable that bit in the properties box. Like HWMonitor for example https://www.cpuid.com/software... [cpuid.com] just stopped running and gave me an error about security settings.

Does anyone really use UAC on personal machines?

[Luckyo]

Serious question. There's a lot of bitching about bypassing privileges and UAC, because that's frankly easy with five minutes on google if you have hardware level access. Security wise, UAC is very much a lowest possible friction, while being pretty high on user annoyance.

So does anyone use UAC for security purposes other than limiting potential system damage from ignorant users? If so, why?

Re:Does anyone really use UAC on personal machines

[budgenator]

It's not that UAC is so annoying, it's that so many craptastic windows programmers are so bad at writing useful apps that can run in the expected UAC environment

Re:

[Luckyo]

Those craptastic programmers however do make software for windows that is useful, and there's a lot of them. Which is why windows is still the de facto desktop OS of choice for pretty much everyone in the world.

Re:

[budgenator]

If it only runs in privileged, then it main use will be to allow Eastern European hacker into your system.

Re:

[Luckyo]

Yes, because for modern western developers, "why would you develop something you don't have a remote way to get into to extent monetization" is a real question.

Funnily enough, that is not the question for the old functional software done by enthusiasts. Their software typically doesn't even try to get internet access from the system.

So which software would be more of a danger for backdooring?

Re:

[paulfm]

Use full user/admin separation (a seperate admin account, that you never use for user stuff). This is the mode you should use on ANY os (Linux, MacOS, etc) even though they all seem to push you to the one account mode (very bad security). I have been doing this since Windows NT. It solved all the annoying issues of Windows Vista (which is basically Windows 7 with the UAC set to max protection). It will solve the issues with the UAC in the same way (if you are really anal about not running user programs as

Re:

[Luckyo]

Yes, that is the "do the security right, fuck your usability" way of doing things.

Thing is, for pretty much everyone in the world, usability is the primary concern, while security is secondary. Notably, this is true for everyone in a field that isn't of their expertise. You probably don't wrap your car's key fob in a faraday cage, and don't harden your windows and doors to extreme degree and purchase specialist locks that are genuinely hard to pick and drill out, because those are not your areas of expertis

Re:

[Luckyo]

Imagine being so fucking stupid as a propaganda bot, that you post spam about military security into a civil security thread.

Re:

[codebase7]

I've only ever disabled UAC once, back when Vista first came out and an old game wouldn't start properly because of it. I re-enabled UAC later after the upgrade to Win 7, and haven't disabled it since. Many developers tend to be good about abiding by UAC's requirements and have been for sometime. For me, it's a good measure of whether or not an application's developer has done the bare minimum of modern security practices, and whether or not I should use their stuff in the future. Although today there's als

Re:

[Luckyo]

Yes, this is the common misunderstanding of "expert in a single field". Where you prioritise security over usability in your field, and are confused as to why everyone else doesn't value security as much as you do.

And then you go home to crappy locks that can be picked in less than a minute, use key fobs for your vehicle that can be extended to open your vehicle without depositing them in a faraday cage when you come home, don't harden your doors and windows against forced ingress and so on. It's the "I'm w

Re:

[codebase7]

In my case:
I don't own the building I live in. (So no re-enforcing anything, or replacing locks.)
My car is so old the keyfob is RF and the receiver doesn't work anymore. (And costs more than the car is worth to fix.)

I also never said anything about maximum security. Most won't even use a password if they can get away with it. Let alone backup what is important to them. These aren't maximum security practices, they are the most basic security practices.

As for time, they spend most of their day with the

Re:

[Luckyo]

It's funny to me that you list a horrific real world setup and then demonstrate the exact kind of apathy for that security that you talk about in that field.

Which is exactly my point. You don't actually care about security in the field you don't quite understand. You care about usability in everything but the field you understand however. Because your time is actually important to you universally.

Re:

[codebase7]

No I do care. I cannot afford it. My lack of finances and legal ownership does not allow me to avail myself of greater physical security, but that doesn't mean that I lack interest / understanding in it. If you say otherwise, then that's you shoving words in my mouth. Perhaps you should take an interest in what others are telling you. After all security is only as good as it's weakest link.

Re:

[Luckyo]

It doesn't cost much to put your key fob in a small faraday cage. It costs very little to harden your doors to entry as well. If you do it yourself, it's easily less than 100 EUR even at crazy costs of a peripheral nation like mine.

And yet, you make an appeal to costs in the field that you don't understand, underlying your utter lack of understanding of said field.

Re:

[codebase7]

It doesn't cost much to put your key fob in a small faraday cage

Maybe I wasn't clear. I just said, the receiver inside the car doesn't work. In that regard it's better than your Faraday cage because the car will never respond to any fob. Not mine nor anyone else's.

It costs very little to harden your doors to entry as well

I said, I do not own the building. Considering you're quoting Euros, I assume you don't live in the US. FYI: It's illegal where I live to make such modifications to property you don't own. (To a lesser extent, It's also against the terms of my lease.) If I were to do otherwise, I would be hauled in front of

Re:

[Luckyo]

Now you're starting to sound like someone who pulled the ethernet cable because internet is full of evil things. From one extreme to the other.

Re:

[thegarbz]

So does anyone use UAC for security purposes other than limiting potential system damage from ignorant users? If so, why?

Because ignorant users aren't the only thing which can execute a payload. Software exploits can as well, and when that payload triggers silently on your UAC disabled account (no different to being stupid enough to run Linux as root) you're owned. On the other hand UAC gives you a fighting chance.

Now on the flip side if UAC as annoying for you, WTF are you doing wrong? Have you considered just using your PC instead of constantly installing stuff on it for the lulz? I think it's been a good 4 months since I'v

Re:

[splutty]

Almost all "Game As A Service" games nowadays shower you in UAC prompts the moment you start them, due to anti-cheat software. And then there are launchers that are even more fucked up (Looking at you uPlay) and have to ask more than once.

So if you game a lot, you see that popup... A lot...

Re:

[Luckyo]

Best part is, it will sometimes crash something within UAC. I've seen cases where it needed a hard reboot because the system got locked by UAC prompt, but UAC prompt failed to go in front of the game on the screen and even keyboard shortcuts wouldn't work because it wasn't the element in focus.

Re:

[splutty]

ctrl-esc
ctrl-alt-del

Those sometimes help/work.

Also multiple monitors and never starting a game in fullscreen.

Re:

[Luckyo]

So basically if you don't download porn.exe, you're fine. Which is my original point. UAC offers some protection for incompetent user from himself. It offers little to nothing to a power user.

P.S. UAC will shower you in those prompts if you play games, or run software that updates frequently.

Re:

[antdude]

I kind of like it. Sometimes I accidently run the wrong legit program and I can deny it to run the right one.

Good old MS crap

[gweihir]

Not even secure against ancient malware spreading techniques. I mean, how pathetically inept can you get?

Re:

[dowhileor]

Kind of looks like the exchange server vector from a while ago?

Re:

[gweihir]

To me, this looks like the "floppy virus" I saw on a C64 around 40 years ago.

Re:

[Opportunist]

Lamer Exterminator strikes again!

Re:

[clovis]

The bothersome thing is that although to get the infection the user has to obtain an infected usb stick and click through the "let's not use a condom" message, it's that this is somehow Microsoft's fault.

Re:

[gweihir]

It is. It is known that users cannot deal competently deal with such warnings. It has been known for decades. It has been known that the right way to do this is to _not_ offer auto-run and to make users work for it if they want to run something from an external medium.

As it is, this is 100% MS incompetence.

Re:

[paulfm]

And the minute administrators figure out how to turn autorun off, Microsoft changes the mechanism to bypass those settings. Watch them change the policy key you have to use (NOTE - you can use the policy registry tree, most even work on Windows Home).

Re:

[gweihir]

Would not surprise me one bit. As I aver only administrated linux machines and one cluster, I have little hands-on experience with Windows. But the problems I hear about are utterly laughable and demented.

Re:

[codebase7]

It's not Microsoft's fault, that's the modern expectation of IT education and security practices biting people in the ass again. I.e. None at all. If this was any other industry in the world, people would rightfully be calling out the end users for their inability to lock their own front door. But because this is the IT industry where for decades people have heard non-stop that thinking about the product means you're holding it wrong, everyone blames the cops for not locking their door for them.

Your sig i

Re:

[splutty]

This has literally nothing to do with autorun. Yes autorun is bad, but this isn't done with autorun.

This is literally a user clicking a camouflaged executable on the infected USB stick.

Re:

[thegarbz]

Not even secure against ancient malware spreading techniques. I mean, how pathetically inept can you get?

You mean like getting the user to install something? Yeah hate to break it to you but no system is immune from a manual user intervention. I mean, how pathetically ignorant can *you* get?

Re:

[gweihir]

As usual, you have no insight but shoot your mouth off. As expected.

Stupid question?

[Errol backfiring]

A stupid question maybe, but how does the worm get there? If the Raspberry devices were already infected, a USB drive could have done the same. If it has to come from the network, how is that transfer initiated?

Re:

[EvilSS]

It's in the summary: "Once the USB device is attached and the user clicks the link, the worm spawns a msiexec process using cmd .exe to launch a malicious file stored on the infected drive. It infects new Windows devices, communicates with its command and control servers (C2), and executes malicious payloads..."

Re:

[Opportunist]

And the user clicks the link why? We call this a "Redneck virus". As in "please click here to get infected".

Re:

[ArchieBunker]

One of my previous jobs had a person like that. We told her don't open zip files that people send her. She was expecting something from the office manager so there was an email to herself addressed from herself (first red flag) containing a zip attachment (second red flag), inside the zip was a vbscript file that asked for permission to execute (third red flag) and she still said ok to everything...

15 minutes later she asks what happened to all her desktop icons that all looked funny and had the .LOCKY exte

Re:

[EvilSS]

And the user clicks the link why?

If I could answer that, I would be rich. Hell, why are they plugging in rando USB drives to begin with?

Users can't seem to help not clicking stuff they are not supposed to click. Even if you give them a warning, it's almost a law of nature they will pick the wrong button to click. "This is going to destroy your PC. Do you want to continue? Yes / No". Yes, every time. "This is going to destroy your PC? Do you want to prevent this? Yes / No" No, 100% of the time.

We had an environment we had to push out an

Re:

[paulfm]

I am sure the USB drive is also set to use autorun to run the link. Using USB devices is a security problem anyway. It is more complicated, but use a usb CD/DVD drive to boot rescue utiliies and install an OS (as you can guarantee it is read only). The read-only switch on a usb stick is just a suggestion (like it is on floppy drives). Although a USB drive could be built that enforces the read-only switch (even if the computer wants to ignore it) - personally, this should be the standard.

Re:

[EvilSS]

You can't autorun from a USB. They changed that back in Win7 and patched it out in XP and Vista. It will prompt the user if they want to run it (and we are talking users here so...) but it won't automatically run it like it would on a CD in the past. AFAIK there is no way to configure Windows to do it.

Re:

[drinkypoo]

I wrote a response to this but it was blocked by Cloudflare

Then I tried to paste it on pastebin and they blocked it too

So here it is on some site called ControlC which was at the top of a list of pastebin alternatives

https://controlc.com/abb541d1 [controlc.com]

Re:

[Errol backfiring]

My bad. The name "Raspberry" made me think you would need special hardware for this. Turns out it is just a name for the malware.

Sound security practices

[ZiggyZiggyZig]

One should know better than clicking on a link. [uncyclopedia.co]

Re:

[paulfm]

Autorun isn't that smart.

Raspberry!

[Bu11etmagnet]

There's only one man who would dare give me the raspberry: Lone Star [youtu.be]!

Re:

[I've Got Three Cats]

Classic movie. Mel did a great job.

A worm in its natural habitat

[RUs1729]

Even MS can do some good.