Cybersecurity researchers from Red Canary recently discovered a new worm-like malware they’ve dubbed Raspberry Robin, which spreads via infected USB drives. While they’ve been able to observe and study the working of the malware, they haven’t yet been able to figure out its ultimate purpose. “[Raspberry Robin] is an interesting story whose ultimate threat profile is yet to be determined,” Tim Helming, security evangelist with DomainTools, told Lifewire over email. “There are too many unknowns to hit the panic button, but it’s a good reminder that building strong detections, and taking common sense security measures, have never been more important.”
Shooting in The Dark
Understanding a malware’s ultimate objective helps rate its risk level, explained Helming. For instance, sometimes compromised devices, such as the QNAP network-attached storage devices in the case of Raspberry Robin, are recruited into large-scale botnets to mount distributed denial of service (DDoS) campaigns. Or, the compromised devices could be used for mining cryptocurrency. In both cases, there wouldn’t be an immediate threat of data loss to the infected devices. However, if Raspberry Robin is helping assemble a ransomware botnet, then the risk level for any infected device, and the local area network it is attached to, could be extremely high, said Helming. Félix Aimé, threat Intelligence and security researcher at Sekoia told Lifewire via Twitter DMs that such “intelligence gaps” in malware analysis aren’t unheard of in the industry. Worryingly, however, he added that Raspberry Robin is being detected by several other cybersecurity outlets (Sekoia tracks it as the Qnap worm), which tells him that the botnet the malware is trying to build is quite large, and could perhaps include “hundred thousand of compromised hosts.” The critical thing in the Raspberry Robin saga for Sai Huda, CEO of cybersecurity company CyberCatch, is the use of USB drives, which covertly installs the malware that then creates a persistent connection to the internet to download another malware that then communicates with the attacker’s servers. “USBs are dangerous and should not be allowed,” stressed Dr. Magda Chelly, Chief Information Security Officer, at Responsible Cyber. “They provide a way for malware to easily spread from one computer to another. This is why it’s so important to have up-to-date security software installed on your computer and to never plug in a USB that you don’t trust.” In an email exchange with Lifewire, Simon Hartley, CISSP and a cybersecurity expert with Quantinuum said USB drives are part of the tradecraft that adversaries use to break so-called “air gap” security to systems not connected to the public internet. “They are either outright banned in sensitive environments or require special controls and verifications because of the potential for adding or removing data in overt ways as well as introducing hidden malware,” shared Hartley.
Motive Isn’t Important
Melissa Bischoping, Endpoint Security Research Specialist at Tanium, told Lifewire via email that while understanding a malware’s motive may help, researchers have multiple capabilities for analyzing the behavior and artifacts that malware leaves behind, to create detection capabilities. “While understanding motive can be a valuable tool for threat modeling and further research, the absence of that intelligence does not invalidate the value of existing artifacts and detection capabilities,” explained Bischoping. Kumar Saurabh, CEO and co-founder of LogicHub, agreed. He told Lifewire over email that trying to understand the goal or motives of hackers makes for interesting news, but isn’t very useful from a security perspective. Saurabh added the Raspberry Robin malware has all the characteristics of a dangerous attack, including remote code execution, persistence, and evasion, which is enough evidence to sound the alarm, and take aggressive actions to curb its spread. “It’s imperative for cybersecurity teams to take action as soon as they spot the early precursors of an attack,” stressed Saurabh. “If you wait to understand the ultimate goal or motives, such as ransomware, data theft, or service disruption, it will probably be too late.”