Researchers in the field of information security is calling people's attention to an ongoing wave of attacks that are connected to a threat cluster known as Raspberry Robin, which is the source of Windows malware that possesses worm-like capabilities.
Cybereason noted a number of victims in Europe and referred to the threat as "persistent" and "spreading." The company also noted that it had observed the threat "spreading."
A worm is responsible for the infections, and it spreads through removable USB devices that have malicious software on them.
LNK files and uses infected QNAP network-attached storage (NAS) devices as a command-and-control infrastructure. In May of 2022, researchers from Red Canary were the first people to ever document it.
The malware, which Sekoia also referred to as the QNAP worm, takes advantage of a legitimate Windows installer binary called "msiexec.exe" in order to download and run a malicious shared library (DLL) from a QNAP NAS appliance that has been compromised.
"To make it harder to detect, Raspberry Robin leverages process injections in three legitimate Windows system processes," a researcher at Cybereason named Loc Castel said in a technical write-up. Castel also mentioned that the malware "communicates with the rest of [the] infrastructure through TOR exit nodes."
Modifications to the Windows Registry are made in order to load the malicious payload through the Windows binary "rundll32.exe" during the startup phase. These modifications allow for persistence on the machine that has been compromised.
The campaign, which is thought to have begun in September 2021, has been something of a mystery so far, with no clues as to the origin of the threat actor or its end goals. It is believed that the campaign began in September 2021.
This revelation comes at the same time that QNAP has stated that it is actively investigating a new wave of Checkmate ransomware infections that have targeted its devices. This attack is the most recent in a string of attacks that has also included AgeLocker, eCh0raix, and DeadBolt.
"Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords," the company noted in an advisory. "Preliminary investigation also indicates that Checkmate attacks via SMB services exposed to the internet."
"Once the attacker has successfully logged in to a device, they will encrypt data in shared folders and leave a ransom note in each folder with the file name "!CHECKMATE DECRYPTION README.""
Customers of the Taiwanese company are advised by the company to take the precautions of not exposing SMB services to the internet, increasing the strength of their passwords, performing regular backups, and updating the QNAP operating system to the most recent version.
Post a Comment
Your suggestions and comments are welcome