Zeppelin Ransomware Returns with New Trojan on Board

zeppelin ransomware

The malware has popped up in a targeted campaign and a new infection routine.

The Zeppelin ransomware has sailed back into relevance, after a hiatus of several months.

A wave of attacks were spotted in August by Juniper Threatlab researchers, making use of a new trojan downloader. These, like an initial Zeppelin wave observed in late 2019, start with phishing emails with Microsoft Word attachments (themed as “invoices”) that have malicious macros on board. Once a user enables macros, the infection process starts.

Threatpost Webinar Promo Bug Bounty

Click to Register

In the latest campaign, snippets of Visual Basic scripts are hidden among garbage text behind various images. The malicious macros parse and extract these scripts, and write them to a file at c:\wordpress\about1.vbs.

A second macro then looks for the string “winmgmts:Win32_Process” inside the document text, and uses it to execute about1.vbs from disk. About1.vbs is the aforementioned trojan downloader, which ultimately downloads the Zeppelin ransomware onto a victim’s machine.

The binary sleeps for 26 seconds “in an attempt to out-wait dynamic analysis in an automated sandbox and then runs the ransomware executable,” according to the recently released analysis. “As with previous versions, the Zeppelin executable checks the computer’s language settings and geolocation of the IP address of the potential victim to avoid infecting computers in Russia, Belarus, Kazakhstan and Ukraine.”

As for attribution, according to previous research from Vitali Kremez, Zeppelin is a simple piece of code that’s distributed via an affiliate business: The malware is generated via a GUI wizard and offered to distributors in return for a revenue share.

The latest campaign has affected around 64 known victims and targets, Juniper researchers noted, indicating a certain level of targeting. It may have started in June 4, when the command-and-control (C2) server that the malware uses was registered; and passive DNS data shows that it ran until at least Aug 28; August 28 is the most recent name resolution for the C2 domain, according to passive DNS data.

“[This] could indicate the malware has not infected new networks in the last few days,” according to the post.

Zeppelin is a variant of the Delphi-based ransomware-as-a-service (RaaS) family initially known as Vega or VegaLocker, which emerged at the beginning of 2019 in advertisements on the Russia-based Yandex.Direct – according to BlackBerry Cylance. Unlike its predecessor, Zeppelin is much more targeted, and first took aim at targeted tech and healthcare companies in Europe and the U.S.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.


Suggested articles