BlackBerry Cylance experts talked about the ransomware Zeppelin, which is written in Delphi, is based on the VegaLocker Malvari code and attacks technology and medical companies in Europe and North America.
Researchers write that malware will not work on machines in Russia, Ukraine and the CIS countries, including Kazakhstan and Belarus. This is a very interesting nuance, since other variants of the Malvari from the Vega family, also known as VegaLocker and Buran, were aimed specifically at Russian-speaking users.
Thus, Zeppelin, apparently, is not the development of the same hacker group that stood behind the previous attacks. The fact is that Vega source codes can be found on the black market, and experts believe that the creators of Zeppelin could buy or steal them, and they could also find some kind of leak. Apparently, behind Zeppelin is a certain Russian-speaking hack group.
Zeppelin is easy to customize and can be customized for a specific victim or attacker requirements. So, Zeppelin does not have a standard form of ransom requirements, and the malware can be deployed as an EXE, DLL or use PowerShell, and has the following functions:
- IP Logger – tracking IP addresses and location of victims;
- Startup – ensuring a constant presence in the system;
- Delete backups – stopping certain services, disabling file recovery, deleting backups, shadow copies, and so on;
- Task-killer — liquidation of processes specified by an attacker;
- Auto-unlock – unlock files that are locked during encryption;
- Melt – self-destruction;
- UAC prompt – an attempt to start an elevated privilege malware.
Analysis of the code shows that Zeppelin was first compiled in early November of this year.
According to the researchers, the ransomware spreads through attacks on the supply chain, in particular through Managed Security Service Providers (MSSPs), which makes it look like the notorious Sodinokibi cryptographer. Experts also believe that Zeppelin is spreading through attacks such as watering hole ("watering hole"). Such attacks are called by analogy with the tactics of predators who hunt at a watering hole, waiting for prey – animals that came to get drunk. That is, the attackers place the malware on some resources that the intended victim visits.
BlackBerry Cylance experts believe that Zeppelin is offered as a service on the black market, that is, criminals rent it from developers and then adapt it to their needs. And at least one of these operators is using Zeppelin for attacks targeting medical and IT companies.
“So far we have not seen any large-scale campaign used to spread the malvari. It seems that the attackers are quite cautious about the choice of goals. But probably the reason is that the campaign has not really started yet, and the current victims are just “zero patients” in some kind of test run, ”analysts say.