What Is It?

In late August 2020, researchers at Juniper Threat Labs discovered a new Zeppelin ransomware campaign, the first for this variant in several months. Juniper found that this campaign was poorly detected by legacy anti-virus applications because of a new downloader component used in the attack chain.

In this latest campaign, the initial attack vector is Microsoft Word documents containing malicious macros attached to emails. When opened, the documents display a blurred image of a “medical invoice” with instructions on how to view the “content” of the document, which if followed, allow the macro to execute. In an attempt, which appears to have largely been successful, to avoid detection by legacy anti-virus applications, the macro extracts the code for another macro from what appears to be junk text hidden behind the blurred image. The extracted macro is executed when the document is closed.

This macro downloads the actual Zeppelin ransomware from a domain controlled by the attackers and saves it to the local hard drive. However, in an attempt to avoid detection by automated sandbox tools, which are heavily used by endpoint detection vendors, the Zeppelin ransomware is not executed for 26 seconds.

As with all previous variants going back to VegaLocker, the ransomware will not encrypt files if the infected system is located in Russia or the former Soviet states of Belarus, Kazakhstan and Ukraine. The displayed ransom note provides an email address for victims to contact the attackers and provide one encrypted file which will be decrypted for free.

First discovered in December 2019, named due to the string ZEPPELIN being written into encrypted files, was originally a variant of Buran ransomware, itself a variant of VegaLocker. All of these variants are written in the Borland Delphi programming language, popular with some malware authors due it being potentially more difficult to reverse engineer than other languages such as C++. All variants have been offered for sale using the Ransomware-as-a-Service (RaaS) model. In the case of Buran, clients would keep 75% of all ransom payments with the remaining 25% being retained by the authors. The initial Zeppelin campaign was targeted at IT and healthcare organizations in Europe and the U.S. It is believed that the initial infection vectors were poorly secured, internet-facing, Remote Desktop Protocol (RDP) servers.

How Does It Propagate?

This Zeppelin campaign utilizes what remains the most common attack vector for most ransomware, social engineering, in this case, malicious Microsoft Word document attachments. The malware does not contain the necessary code to self-propagate.

When/How Did BluVector Detect It?

A total of 49 samples related to this campaign are publicly available – two VBScript samples, 46 malicious Microsoft Word samples and the Zeppelin ransomware sample itself – and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 74 months prior to their release.