Fraud Management & Cybercrime , Malware as-a-Service , Ransomware

Zeppelin Ransomware Floats Back Into View

Updated Trojan Downloader Helps Avoid Detection
Zeppelin Ransomware Floats Back Into View

After a six-month hiatus, the Zeppelin ransomware variant returned in late August, according to Juniper Threats Labs. The malware now uses an updated Trojan downloader to better hide its activities from security tools.

See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation

Zeppelin was first spotted by independent security researcher Vitali Kremez in late 2019, when it primarily targeted IT and healthcare firms, according to the report. It's distributed using the ransomware-as-a-service model.

The ransomware appears to be a variant of another type of crypto-locking malware called Buran, according to Juniper. Buran is a variation of another type of ransomware strain called VegaLocker, according to previous research published by McAfee (see: New Ransomware-as-a-Service Offered at Deep Discount: Report).

In the latest campaign that started in August, the Juniper researchers found that the operators of Zeppelin use the same type of phishing lures as in previous attacks, although they use a new downloader that helps obscure a Trojan for implanting the ransomware code.

The researchers note that the domain that serves as the command-and-control server was established June 4, and most of the activity associated with it started around Aug. 28. It's not clear if any attacks have been successful or if any ransoms have been paid, says Asher Langton, a researcher with Juniper Threat Labs.

"Unlike some older ransomware, the victim is supposed to contact the attacker instead of just sending payment to a fixed bitcoin address, so we can't trace payments via the blockchain," Langton tells Information Security Media Group.

Hiding the Attack

A Zeppelin ransomware attack starts when a targeted victim receives a phishing email disguised as an invoice, according to the Juniper report.

The phishing emails are sent with an attached Microsoft Word document, portrayed as an invoice, that hides malicious VBA macros. Once the attachment is opened, the macros are enabled and the initial attack starts, according to the report.

The attached Word document helps obscure what appears to be junk code but actually contains Visual Basic scripts hidden in the text, the report notes. This code is part of an obfuscation technique that helps hide a Trojan that starts the ransomware infection.

Zeppelin ransom note (Source: Juniper Threat Labs)

Once the malicious macros are enabled, the text is extracted and written to a file at c:wordpressabout1.vbs, according to the report. When the document is closed, a second round of macros runs, which further helps hide the attack.

The second macro string eventually downloads a Trojan that then installs the Zeppelin ransomware within a compromised device. Before it starts working, the malware "sleeps for 26 seconds in an attempt to out-wait dynamic analysis in an automated sandbox and then runs the ransomware executable," according to the report.

Unknown Origins

The Juniper report does not shed light on the threat actors behind Zeppelin, but the report and other analyses find that if the ransomware comes across an infected device that has an IP address linked to Russia, Belarus, Kazakhstan or Ukraine, the attack is stopped.

The report notes that it "is difficult to assess how many targeted computers resolved the [command-and-control] domain, but there were only 64 confirmed DNS queries to its authoritative name server, which suggests the attacks might be targeted and not widespread."


About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.