Cybersecurity researchers are drawing attention to an ongoing wave of attacks linked to a threat cluster tracked as Raspberry Robin that's behind a Windows malware with worm-like capabilities.
网络安全研究人员留意到一个与 Raspberry Robin 的威胁集群相关的攻击浪潮,该集群具有类似蠕虫功能的 Windows 恶意软件。
Describing it as a "persistent" and "spreading" threat, Cybereason said it observed a number of victims in Europe.
安全公司Cybereason 将其描述为“持续性”和“传播性”威胁,并称在欧洲观察到了许多与之有关的受害者。
The infections involve a worm that propagates over removable USB devices containing malicious a .LNK file and leverages compromised QNAP network-attached storage (NAS) devices for command-and-control. It was first documented by researchers from Red Canary in May 2022.
涉及一种蠕虫,该蠕虫通过包含恶意 .LNK 文件的可移动 USB 设备进行传播,并利用受损的 QNAP 网络附加存储 (NAS) 设备进行命令和控制。它于2022 年 5 月由 Red Canary 的研究人员首次记录。
Also codenamed QNAP worm by Sekoia, the malware leverages a legitimate Windows installer binary called "msiexec.exe" to download and execute a malicious shared library (DLL) from a compromised QNAP NAS appliance.
该恶意软件也被 Sekoia代号为QNAP 蠕虫,它利用名为“msiexec.exe”的合法 Windows 安装程序二进制文件从受感染的 QNAP NAS 设备下载并执行恶意共享库 (DLL)。
"To make it harder to detect, Raspberry Robin leverages process injections in three legitimate Windows system processes," Cybereason researcher Loïc Castel said in a technical write-up, adding it "communicates with the rest of [the] infrastructure through TOR exit nodes."
安全公司Cybereason 研究员 Loïc Castel 在一篇技术文章中说:“为了更难检测,Raspberry Robin 注入到三个合法的 Windows 系统进程中,”并补充说“通过 TOR 出口节点与 [the] 基础设施的其余部分进行通信。"
Persistence on the compromised machine is achieved by making Windows Registry modifications to load the malicious payload through the Windows binary "rundll32.exe" at the startup phase.
通过修改 Windows 注册表以在启动阶段通过 Windows 二进制文件“rundll32.exe”加载恶意有效负载,从而实现在受感染机器上的持久性。
The campaign, which is believed to date back to September 2021, has remained something of a mystery so far, with no clues as to the threat actor's origin or its goals.
该活动被认为可以追溯到 2021 年 9 月,到目前为止仍然是一个谜,因为还没有关于攻击者的起源或其最终目标的线索。
The disclosure comes as QNAP said it's actively investigating a new wave of Checkmate ransomware infections targeting its devices, making it the latest in a series of attacks after AgeLocker, eCh0raix, and DeadBolt.
该披露发布之际,QNAP 表示正在积极调查针对其设备的新一波 Checkmate 勒索软件感染,使其成为继AgeLocker、eCh0raix和DeadBolt一系列攻击后最新的一次。
"Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords," the company noted in an advisory.
“初步调查表明,Checkmate 攻击是通过暴露在互联网上的SMB 服务进行的,并使用字典爆破密码较弱的帐户,”该公司在一份咨询报告中指出。
"Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE_DECRYPTION_README" in each folder."
“一旦攻击者成功登录设备,他们就会加密共享文件夹中的数据,并在每个文件夹中留下带有文件名为“!CHECKMATE_DECRYPTION_README”的勒索信。”
As precautions, the company recomms customers to not expose SMB services to the internet, improve password strength, take regular backups, and update the QNAP operating system to the latest version.
作为预防措施,建议用户不要将 SMB 服务暴露在互联网上,提高密码强度,定期备份,并将 QNAP 操作系统更新到最新版本。
大直若屈,大巧若拙,大辩若讷。
——《道德经.第四十五章》
本文翻译自:
https://thehackernews.com/2022/07/researchers-warn-of-raspberry-robins.html
如若转载,请注明原文地址
