Microsoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread. These infections lead to follow-on hands-on-keyboard attacks and human-operated ransomware activity. Our continuous tracking of Raspberry Robin-related activity also shows a very active operation: Microsoft Defender for Endpoint data indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days.

Although Raspberry Robin is relatively new, the threat has been tracked since late January. They first observed the malware family through a number of malicious Microsoft Word documents appearing in the wild, which used a destructive macro to overwrite files on victim machines. Like Locky, they used pre-ransomware tactics as part of their attack to ensure that victims pay ransoms. In mid-February, they detected a series of malicious Word documents with macros that exploited a fileless code execution technique, bypassing Microsoft Office protections such as Protected View. These attacks were hosted on websites serving ads containing dropper scriptlets that downloaded and executed the payloads. In both cases, a unique identifier contained in the payloads identified them as part of the same family.

The compromises seen using macros have all used malicious macro code that executes PowerShell commands as a means to deliver embedded payloads. These techniques are similar to those used by previous macro-based threats like Wicked Pissed Off RAT (WOPR).

‍

Source: Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity - AlienVault - Open Threat Exchange