A new, highly targeted piece of ransomware has hit a handful of tech and healthcare companies in Europe and the United States, BlackBerry Cylance reports.
Caled "Zeppelin", the malware is the latest addition to Vega (VegaLocker), the Delphi-based Ransomware-as-a-Service (RaaS) family that also includes variants such as Jamper, Storm, Buran, and more. Vega was initially observed in early 2019 targeting Russian users.
Unlike the Vega campaign, which had a broad reach, the Zeppelin attacks are targeted and the malware was designed to abort the infection process if the machine is based in Russia or ex-USSR countries.
The first samples of Zeppelin have compilation timestamps starting on November 6, 2019 and reveal that the malware is highly configurable, as it can be deployed as an EXE, DLL, or even wrapped in a PowerShell loader.
Water-holed websites and Pastebin (in the case of PowerShell) were used to host the samples and at least some attacks were conducted via MSSPs, similar to the highly targeted Sodinokibi ransomware, BlackBerry Cylance notes.
Zeppelin uses obfuscation to hide sensitive strings and employs different RC4 keys for each sample. Most of the binaries are not packed, but BlackBerry Cylance’s security researchers discovered some executables protected with additional polymorphic obfuscation software.
Options that can be set from the Zeppelin builder user-interface during generation of the ransomware binary include running as DLL, determining the victim IP address, copying itself to a different location and setting up persistence, erasing backups and disabling recovery, killing processes, unlocking files for encryption, erasing itself before exiting, and attempting to gain elevated privileges or re-run.
The .itext section of Zeppelin’s binary stores configuration data such as hardcoded pu ..
Support the originator by clicking the read the rest link below.
