The battle between good and evil is ongoing when it comes to the cybersecurity space. We regularly hear about new vulnerabilities being exploited by malicious actors, as well as the defenses being built against them reactively and proactively. Now, Microsoft has issued private advisories about a high-risk worm that is infecting hundreds of Windows enterprise networks.

Nicknamed “Raspberry Robin”, the malware spreads via infected USB drives containing a .LNK file. As soon as a user clicks on this file, the worm creates a msiexec.exe process via the command prompt and launches another malicious file. It then communicates with the command and control servers with a short URL. If the connection is successful, it downloads and installs a bunch of other malicious DLLs, which then try to communicate with TOR nodes.

It is important to note that Raspberry Robin is not a new piece of malware. Several security experts first spotted it in 2021, and Microsoft even saw evidence of it being used in 2019.

According to Bleeping Computer, Microsoft is now privately informing Defender for Endpoint subscribers about the dangers posed by the Raspberry Robin. He also noted that he discovered the worm on hundreds of Windows networks in multiple industries.

That being said, it is very interesting to know that while the infected machines communicate with the Tor network, the threat actors behind the Raspberry Robin still need to take advantage of the exploit to gain access to sensitive information or deploy ransomware. They can easily do this considering that the initial payloads they downloaded can be used to bypass User Account Control (UAC) by misusing Windows utilities. As such, it is currently unknown which threat group is using the Raspberry Robin and what its ultimate goal is. However, given the potential for this threat to escalate, as well as the fact that it is spreading quite quickly, Microsoft has labeled it a high-risk campaign for now.

Source: Bleeping Computer