The Zeppelin ransomware has sailed back into relevance, after a pause of a couple of months.
An ‘armada’ of attackers were spotted in Aug. by Juniper Threatlab researchers, using a new trojan downloader.
These, like a 1st Zeppelin wave seen in late 2019, start with phishing emails with Microsoft Word attachments (themed “invoices”) that have malicious macros . When a user enables macros, the infection process begins.
In this new campaign, elements of Visual Basic scripts are hidden among ‘garbage text’ behind various images. The malicious macros parse & extract these scripts & write them to a file at c:\wordpress\about1.vbs.
A 2nd macro then looks for the string “winmgmts:Win32_Process” inside the document text & uses it to execute about1.vbs from disk. About1.vbs is the trojan downloader, which ultimately downloads the Zeppelin ransomware onto a victim’s machine.
The binary sleeps for 26 seconds “in an attempt to out-wait dynamic analysis in an automated sandbox & then runs the ransomware executable,” says the recently released analysis.
“As with previous versions, the Zeppelin executable checks the computer’s language settings & geolocation of the IP address of the potential victim to avoid infecting computers in Russia, Belarus, Kazakhstan & Ukraine.”
According to previous research from Vitali Kremez, Zeppelin is a ‘simple’ piece of code that’s distributed via an affiliate business: The malware is generated via a GUI wizard, & offered to distributors in return for a revenue share.
The latest campaign has affected circa 64 known victims & targets, Juniper researchers noted, indicating a certain level of targeting.
It may have started Jun. 4, when the command control & (C2) server that the malware uses was registered, & passive DNS data shows that it ran until at least Aug 28. Aug. 28 is the most recent name resolution for the C2 domain, according to passive DNS data.
“This could indicate the malware has not infected new networks in the last few days,” explains the post.
Zeppelin is a variant of the Delphi-based ransomware-as-a-service (RaaS) family initially known as Vega or VegaLocker, which emerged early 2019 in advertisements on the Russia-based Yandex.Direct, according to BlackBerry Cylance. Unlike its predecessor, Zeppelin is much more targeted, & first was aimed at targeted tech & healthcare companies in Europe & the US.