Hij is inderdaad zichtbaar in security.Microsoft.com waar je onder “hem” onder Threat Analytics terug kan vinden. De Security / sysadmin kan vanuit hier verder om te kijken of het voorkomt in het netwerk / de devices en detection regels configureren.

Executive summary
In early May 2022, a new worm named Raspberry Robin, was initially reported by Red Canary to have spread to Windows systems through infected USB devices. The USB device contains a disguised Windows shortcut (LNK) file. This worm relies on built-in Windows utilities such as msiexec.exe, fodhelper.exe, rundll32.exe, and odbconf.exe to install itself on the connected device, connect to a command-and-control (C2) server before downloading and launching additional DLL files.

Microsoft has observed this worm in hundreds of organizations spanning multiple industries. As of now, Microsoft security researchers have not attributed this worm to a threat actor group nor observed evidence of further lateral movement and advanced attacker activity upon initial installation of the worm. However, the usage of fodhelper.exe to spawn rundll32.exe, allows any downloaded malware to run with elevated administrative privileges without requiring a User Account Control prompt for consent or credentials, performing a UAC bypass. Due to the ability to achieve elevated permissions as well as the successful connection to an external domain, without proper protections in place, an attacker could easily escalate their attack to move laterally and access sensitive systems and data.

There are several detections that are available to help customers understand if they are impacted by this threat. Detection details for Microsoft 365 Defender are in the Detection details section of this report. Microsoft 365 Defender customers should also apply the security configurations and other prescribed mitigations and use the provided advanced hunting queries to check their network for attacks related to this tool.

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

Turn on Microsoft Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of remote access trojans (RATs) and other unwanted applications.
Enable Tamper Protection for Defender Antivirus
Enable Cloud-based protection for Defender Antivirus

Reduce attack surface

Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent several of the infection vectors of this threat. Attack surface reduction rules, which can be configured by any Microsoft Defender Antivirus user, offer significant hardening against the worm. In observed attacks, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:

Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Block untrusted and unsigned processes that run from USB

Tevens is er een Advanced Hunting query (KQL) beschikbaar waarmee je kan zoeken of dit voorkomt op je devices (Microsoft doet dit ook automatisch met Defender)

Advanced hunting

To locate possible exploitation activity, run the following queries.

Network connection launched from msiexec.exe

Upon execution of msiexec.exe, the malicious .LNK file will create a network connection over port 8080. Run query

DeviceProcessEvents | where FileName == “msiexec.exe” and ProcessCommandLine has_any (‘http:’,’https:’) | where ProcessCommandLine has_any (‘/q’, ‘-q’) | where ProcessCommandLine has “8080”

Detection details

Microsoft Defender Antivirus incorporates next-generation antivirus capabilities, including machine learning and behavioral detection. This can result in overlapping detections, particularly of first-seen components and polymorphic variants.

Trojan:Win32/VintageDynamo.A – This is a generic detection looking for suspicious execution of .LNK files. There could be results from this that are not associated explicitly with the Raspberry Robin worm.

Endpoint detection and response (EDR)

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

Suspicious process launched using cmd.exe
Suspicious behavior by msiexec.exe
USB scanning

You can configure preferences for Windows Defender scans and updates to include scanning of removable drives. The Set-MpPreference cmdlet configures preferences for Windows Defender scans and updates. The following command allows you to scan removable drives:


This command indicates whether to scan for malicious and unwanted software in removable drives, such as flash drives, during a full scan. If you specify a value of $False or do not specify a value, Windows Defender scans removable drives during any type of scan. If you specify a value of $True, Windows Defender does not scan removable drives during a full scan. Windows Defender can still scan removable drives during quick scans or custom scans.

[Reactie gewijzigd door HKLM_ op 4 juli 2022 16:45]