The Zeppelin ransomware has sailed back into relevance, after a hiatus of several months.
A wave of attacks were spotted in August by Juniper Threatlab researchers, making use of a new trojan downloader. These, like an initial Zeppelin wave observed in late 2019, start with phishing emails with Microsoft Word attachments (themed as “invoices”) that have malicious macros on board. Once a user enables macros, the infection process starts.
In the latest campaign, snippets of Visual Basic scripts are hidden among garbage text behind various images. The malicious macros parse and extract these scripts, and write them to a file at c:\wordpress\about1.vbs. A second macro then looks for the string “winmgmts:Win32_Process” inside the document text, and uses it to execute about1.vbs from disk. About1.vbs is the aforementioned trojan downloader, which ultimately downloads the Zeppelin ransomware onto a victim’s machine.
The binary sleeps for 26 seconds “in an attempt to out-wait dynamic analysis in an automated sandbox and then runs the ransomware executable,” according to the recently released analysis. “As with previous versions, the Zeppelin executable checks the computer’s language settings and geolocation of the IP address of the potential victim to avoid infecting computers in Russia, Belarus, Kazakhstan and Ukraine.”
The latest campaign has affected around 64 known victims and targets, Juniper researchers noted, indicating a certain level of targeting. It may have started in June 4, when the command-and-control (C2) server that the malware uses was registered; and passive DNS data shows that it ran until at least Aug 28; August 28 is the most recent name resolution for the C2 domain, according to passive DNS data. “[This] could indicate the malware has not infected new networks in the last few days,” according to the post.