Zeppelin Ransomware Returns Using New Trojan to Evade Antivirus

September 09, 2020 - The Zeppelin ransomware variant has reemerged in the wild, employing a new trojan downloader to evade antivirus applications and avoid detection, according to new Juniper Threat Labs research. 

Blackberry Cylance researchers first observed Zeppelin in November 2019, in a wave of targeted, carefully selected cyberattacks against technology and healthcare sectors across the US and Europe. The variant was the latest member of the Delphi-based ransomware-as-a-service family known as Vega or VegaLocker – thought to be Russian in origin. 

The variant uses obfuscation on all sensitive binary strings with different pseudo-random 32-byte RC4 keys appended to each encryption string. 

“The string obfuscation acts as a crude polymorphism mechanism, as each generated sample will use different RC4 keys,” researchers explained, at the time. “It also helps Zeppelin evade detection and complicates analysis. Although the majority of samples are not packed, BlackBerry Cylance researchers have come across Zeppelin executables protected by attackers using additional polymorphic obfuscation software.” 

“Zeppelin appears to be highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader,” they added. “The samples are hosted on water-holed websites, and in the case of PowerShell, on Pastebin.” 

Zeppelin’s attack methods are similar Sodinokibi, another ransomware variant keen on targeting healthcare entities. 

The latest Zeppelin campaign was first detected by Juniper on August 28, using a domain registered on June 4 for its command-and-control (C2). Reseachers believe the malware continues to be targeted and not widespread, although it’s difficult to assess just how many targeted computers resolved the C2 domain. 

Zeppelin infections begin as Microsoft Word documents that contain a malicious macro. The methods used are similar to other ransomware attacks, with documents designed to lure victims into enabling VBA macros to launch the ransomware deployment. 

However, the supposed invoices appended to the malicious documents are just images, and if the images are moved, the document reveals what appears to be random gibberish. In reality, the document contains Visual Basics scripts obscured from the user in garbage text. 

If a user opens the document, the text is extracted and written to the computer by the embedded macro. Once the document is closed the second macro runs.  

“To further obfuscate their intent, the authors pull the string ‘winmgmts:Win32_Process’ from the document text and use it in the script to execute about1.vbs from disk,” researchers explained. “The garbage text extracted from the document is treated as commented-out code and ignored by the Visual Basic interpreter, leaving only the malicious commands.” 

Further, the variant is saved on the computer and “sleeps for 26 seconds in an attempt to out-wait dynamic analysis in an automated sandbox and then runs the ransomware executable.” Much like with the first iteration, Zeppelin still checks the victim’s IP address to verify its location. 

The Juniper Threat Labs report contains a list of indicators of compromise (IOCs) to help identify an infection. Human-operated ransomware variants are extremely challenging to detect, which means healthcare organizations should also refer to previous guidance from Microsoft for insights into detection and response methods. 

COVID-19 has spurred a spate of these attacks from Sodinokibi, Maze, REvil, Netwalker, and other ransomware variants. The Office for Civil Rights also provided healthcare entities with guidance on how to respond to these types of targeted cyberattacks.