By – Blackberry Cylance researchers have discovered a new ransomware variant targeting healthcare and technology companies across US and Europe with carefully chosen cyberattacks.
The Zeppelin ransomware is the newest member of the Delphi-based ransomware-as-a-service family, commonly known as Vega or VegaLocker, which was first discovered in early 2019 and thought be Russian in origin.
The initial attacks were broad in scope, rather than targeted, hosted with valid certificates on GitHub. Several new versions have been spotted in the wild over the course of the year, with Zeppelin as the latest iteration.
According to researchers, latest variant is based on the same code with similar functions as past methods, but the current campaign differs significantly than previous malware versions.
First seen on November 6, the first Zeppelin samples were seen targeting a select number of tech and healthcare companies in the US and Europe. Zeppelin is designed to stop running on machines based in Russia or other ex-USSR countries. The ransomware will check the victim’s country code by obtaining the victim’s external IP address to ensure it’s not operating in one of the banned countries.
The shift in targeting Western countries, different deployment methods, and victim selection suggests the virus may have ended up in the hands of different threat actors, researchers explained.
“Zeppelin appears to be highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader,” researchers explained. “The samples are hosted on water-holed websites, and in the case of PowerShell, on Pastebin.”
What’s more, the researchers believe that at least some of these attacks were launched through managed security services providers (MSSPs). The attacks bear similarities to another healthcare-heavy threat actor known as Sodinokibi, which typically targets IT managed service providers.
Sodinokibi was behind the recent ransomware attack on CTS, an IT vendor for dental providers, which impacted more than 100 dentist offices.
For Zeppelin, all sensitive strings in its binaries are obfuscated with a different pseudo-random 32-byte RC4 key, appended to each encryption string.
“The string obfuscation acts as a crude polymorphism mechanism, as each generated sample will use different RC4 keys,” researchers explained. “It also helps Zeppelin evade detection and complicates analysis.”
“Although the majority of samples are not packed, BlackBerry Cylance researchers have come across Zeppelin executables protected by attackers using additional polymorphic obfuscation software,” they continued. “In these cases, the Zeppelin executables were wrapped in three layers of obfuscation.”
First, the hackers leverage varying sizes of code with a set of random APIs (often associated with benign software), as well as some stalling loops meant to deceive heuristic mechanisms and outrun sandboxes.
Zeppelin also uses first-stage shellcode, which is encoded with simple XOR through a static one-byte key derived from a hardcoded DWORD value. The researchers noted the shellcode “decodes the payload binary, together with its loader, using one-byte XOR, but this time the key is mutated for each decryption round.”
Lastly, Zeppelin can hide using a second-stage shellcode that injects the payload binary into memory before it executes.
“Like its predecessors, Zeppelin allows attackers to track the IP addresses and location of victims via the IPLogger web service,” researchers explained. “If the relevant option is set, the ransomware will try to check-in by sending a GET request to a hardcoded URL that was generated by using the IPLogger URL Shortener service.”
“Attackers can use the IPLogger web service to view a list of victims and use the shortened URL to redirect users to other malicious content,” they added.
To Cylance, the emergence of Zeppelin demonstrates some ransomware hackers have a strong “dedication to the craft,” seen in its deployed, precise attacks on high-profile targets in the health and IT sectors.
As noted in recent Office for Civil Rights’ guidance, targeted ransomware attacks are on the rise and healthcare organizations need to rely on HIPAA-compliant security measures to fend off, detect, and respond to these disruptive attacks.
“Targeting specific organizations rather than every reachable user is just one example of how ransomware attacks continue to evolve,” researchers concluded. “The ongoing refinement of ransomware attacks serves as a stark reminder that effective cyber security should be proactive, predictive, adaptive, and semi-autonomous.”
