Zeppelin Ransomware

Zeppelin is a ransomware-as-a-service tool which is delivered through phishing campaigns. Zeppelin uses double extortion methods to both encrypt files and steal data threatening to sell it on the dark web.

Threat ID:: CC-3864
Category:: Ransomware
Threat Severity:: Medium
Threat Vector:: Phishing
Published:: 21 May 2021 4:20 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First observed in November 2019, Zeppelin is a variant of the Buran ransomware and is ransomware-as-a-service. Zeppelin ransomware targets organisations globally except the Commonwealth of Independent States (CIS). Zeppelin is delivered via phishing emails as part of a double extortion campaign where data is stolen before being encrypted by the ransomware.

Delivery

Zeppelin is commonly delivered via phishing emails containing macro-laden attachments in Microsoft Word documents. Zeppelin has also been delivered using the ConnectWise Control (formally Screen connect) remote management software on an already compromised network. On opening the malicious Word document, the user is lured into enabling macros, which then extract a downloader script hidden within the text content. This script downloads Zeppelin, then sleeps for 26 seconds. This is used as an evasion technique to avoid dynamic analysis in an automated sandbox, before executing the ransomware.

Activities

Once delivered, Zeppelin checks the default language or the country calling code to determine the location of the affected system, terminating if any of the CIS countries are identified. Zeppelin will then connect to a command and control (C2) server, which will then send an encryption command. The malware creates an empty file in the %TEMP% directory and appends the file with a ZEPPELIN extension. The encryption process involves encrypting Windows operating system directories, web browser applications, system boot files and user files. Following encryption, a text file ransom note will then be left on the desktop of compromised systems.

Remediation advice

If a device on your network becomes infected with ransomware it will begin encrypting files, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup. To limit the impact of a ransomware infection, NHS Digital advises that:

Critical data is frequently saved in multiple backup locations.
At least one backup is kept offline at any time (separated from live systems).
Backups and incident recovery plans are tested to ensure that data can be restored when needed.
User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary.
Infected systems are disconnected from the network and powered down as soon as practicable.
Any user account credentials that may have been compromised should be reset on a clean device
Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation.

Additionally, to prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Domains

btcxchange[.]online
iplogger[.]ru
iplogger[.]org
iplogger[.]org/1H7Yt7.jpg
iplogger[.]org/1HCne7.jpeg
iplogger[.]org/1Hpee7.jpeg
iplogger[.]org/1HVwe7.png
iplogger[.]org/1syG87
iplogger[.]org/1wF9i7.jpeg

Registry Keys

HKCU\Software\Zeppelin
HKCU\Software\Zeppelin\HKCU\Software\Zeppelin\<Paths registry key>

IP Addresses

45.142.213[.]167
216.249.104[.]215

Host Indicators

SHA256 hashes

04628e5ec57c983185091f02fb16dfdac0252b2d253ffc4cd8d79f3c79de2722
1f94d1824783e8edac62942e13185ffd02edb129970ca04e0dd5b245dd3002bc
39d8331b963751bbd5556ff71b0269db018ba1f425939c3e865b799cc770bfe4
4894b1549a24e964403565c61faae5f8daf244c90b1fbbd5709ed1a8491d56bf
d61bd67b0150ad77ebfb19100dff890c48db680d089a96a28a630140b9868d86
e22b5062cb5b02987ac32941ebd71872578e9be2b8c6f8679c30e1a84764dba7
f79ed2df72dedf4205d36e70099efad67dad726c32b11ba7b28157e532abb446

MD5 hashes

0da72fc6c1cebb98289b1efe8dd56fd9
0d442c4d8b4c4312840675cac8d69661
0e06f623bc4eefa97a84ededfbb6bb7e
15bd9fe4de43bd0c418546d5e90f00be
2f1ecf99dd8a2648dd013c5fe6ecb6f5
357b149a0f40224db5d359db104a6778
386157f4cab9327d01a7210da9237ef0
5181f541a6d97bab854d5eba326ea7d9
58f53c8034a1e0ac1174595909ddf88c
68ccfaf0f453cc45faaa8f653ab9c983
79927881700955c52f113bc2d6968698
a8e670c63e257049a7bcae632c9acef6
aed10704bfb8f9eff057d5523b9ad431
bfdfd9874072b6340660b501f1bd7a33
c8823b84999ecf29f0c18c500a4e5c75
e4a50b032c5278691030662123406fac
f8ca42285e4979fc25e1e358aaaf3ee3
fee6ba9a0d7a805b3281d4f955821c1c

Last edited: 27 May 2021 3:39 pm