After a six-month shelving, Zeppelin ransomware has returned in late August of 2020, according to researchers at Juniper Threats Labs. The malware has changed a bit however, and now uses an updated Trojan downloader in an effort to better hide its activities from AV programs.
Zeppelin was initially discovered by SentinelOne security researcher Vitali Kremez in 2019, primarily targeting IT and healthcare firms. Historically, it has been distributed using the ransomware-as-a-service model. Zeppelin is a variant of another type of crypto-locking malware known as Buran ransomware, according to Juniper. Buran ransomware itself is a variation of another ransomware strain called VegaLocker.
In the Zeppelin campaign from August of 2020, the Juniper researchers discovered that the operators of Zeppelin are using the same type of phishing techniques as in previous attacks. However, they have started using a new downloader that obscures the Trojan used in delivering the ransomware payload.
According to the Juniper, Zeppelin ransomware attacks begin with a victim receiving a phishing email disguised to look like an invoice of some sort. The phishing emails are delivered with a Microsoft Word attachment, which hides malicious VBA macros. Once the attachment is clicked on, macros are enabled and the attack starts, according to Juniper.
The attached Word document contains Visual Basic scripts hidden within the text. This code is part of a technique that helps hide the Trojan that starts the infection process. Once macros are enabled, the text is extracted and written to a new file. When that document is closed, the second round of macros begins, and that further helps hide the attack.
The second round of macro string then downloads a Trojan that installs the Zeppelin ransomware. Before it begins, the malware is programmed to sleep for 26 seconds to wait out “dynamic analysis in an automated sandbox and then runs the ransomware executable,” according to the report.
The Unknown Origins of the Zeppelin Ransomware Reboot
Juniper’s report fails to shed light on the hackers behind Zeppelin. Still, the report does mention if an infected device has an IP address linked to Russia, Belarus, Kazakhstan or Ukraine, the attack is immediately ended. This has caused many to speculate that the attacks may be from the region near those countries.
If you are still having trouble, consider contacting remote technical support options.