Cybersecurity Threat Alerts – Zeppelin Ransomware

Zeppelin ransomware is also referred to as Buran and has its origin in the Vega/VegaLocker family, a Delphi-based ransomware-as-a-service (RaaS).According to researcher Vitali Kremez, Zeppelin binaries are generated via a GUI wizard by affiliates who then distribute the malware in exchange for revenue sharing.

Vega samples were first discovered in the beginning of 2019, being distributed alongside other widespread financial malware as part of a malvertising operation. Zeppelin appears to be highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader. The samples are hosted on water-holed websites and, in the case of PowerShell, on Pastebin.

Zeppelin allows attackers to track the IP addresses and location of victims via the IPLogger web service. If the relevant option is set, the ransomware will try to check-in by sending a GET request to a hardcoded URL that was generated by using the IPLogger URL Shortener service. The User-Agent field id set to “ZEPPELIN” and the referrer field contains a unique victim ID, created during the key generation phase.To prevent a victim from checking in more than once, a “Knock” value of 0x29A (666) is written under HKCU\Software\Zeppelin. If the value already exists, the malware will not try to contact the URL on subsequent runs.Attackers can use the IPLogger web service to view a list of victims and use the shortened URL to redirect users to other malicious content.

It employs a standard combination of symmetric file encryption with randomly generated keys for each file (AES-256 in CBC mode), and asymmetric encryption used to protect the session key (using a custom RSA implementation, possibly developed in-house).

The private key from this pair will be encrypted using the attacker’s 2048-bit public RSA key hardcoded in the .itext section of the binary. Both the victim’s RSA encrypted private key and its corresponding public key will then be further obfuscated with a randomly generated 32-byte RC4 key, base64 encoded (together with the prepended RC4 key) and saved to the registry under HKCU\Software\Zeppelin\Keys as “Public Key” and “Encrypted Private Key” respectively.

A unique victim ID is then created using the first 11 bytes of the victim’s RSA public key modulus and replacing the third and seventh character with a dash “-” character.

Indicators of compromise (IOCs)

0d442c4d8b4c4312840675cac8d69661
0da72fc6c1cebb98289b1efe8dd56fd9
0e06f623bc4eefa97a84ededfbb6bb7e
15bd9fe4de43bd0c418546d5e90f00be
2f1ecf99dd8a2648dd013c5fe6ecb6f5
357b149a0f40224db5d359db104a6778
386157f4cab9327d01a7210da9237ef0
5181f541a6d97bab854d5eba326ea7d9
58f53c8034a1e0ac1174595909ddf88c
68ccfaf0f453cc45faaa8f653ab9c983
79927881700955c52f113bc2d6968698
a8e670c63e257049a7bcae632c9acef6
aed10704bfb8f9eff057d5523b9ad431
bfdfd9874072b6340660b501f1bd7a33
c8823b84999ecf29f0c18c500a4e5c75
e4a50b032c5278691030662123406fac
f8ca42285e4979fc25e1e358aaaf3ee3
fee6ba9a0d7a805b3281d4f955821c1c
968503a249052f5d214d3d368fe49e0c
c0e88cbb811aa4a59f79c392120c559a
f8a5d94ebd48bd371cb4d751507319e9
1d6ce900a8b2bf19fc993cad4f145fa8
871857cbf192f0fe42bfaa6bef15dd1ce0938e45
03dc1dc627fa8f7488bb7043ec38adbeb0bf69f3
c87575a3148b0e26b33b3a6b9a5f78001b10cc13
e8502ca3ba9ff85cfb7069a1f0485f9e6eb85e08
121c377693b96eef8e84861f091ef47e6fb6cae5
84768b767dcac1be745ec19031ebd188915a84c7
e82e1780847e1a889f78603ff0375cb9d9d1a545
aa8b7920718123cafa0eafa6c843b801f8c157c1
6cce64e738a001e7a1281ba0d936f762cee63ea3
1395a9377108d7fb5f90b78fe5dd7eca01e21847
b30085e5b6e7aa998582fd94e56c924d7b4497dd
0daea8972337a35f6d48eb9f9dc11ca178dd5e94
5961613e874ffcea7cd9debb8782d60b53665cb0
beac6854bcb4757a0e1d0caaf24275ac6c619d84
16d9967a2658ac765d7acbea18c556b927b810be
ff6966a1e5c4d087dc248eaec4a5f7335bb6ea8b
83bb7336deceeb094574714c1043ce9d3d420ee8
8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6
04628e5ec57c983185091f02fb16dfdac0252b2d253ffc4cd8d79f3c79de2722
1f94d1824783e8edac62942e13185ffd02edb129970ca04e0dd5b245dd3002bc
39d8331b963751bbd5556ff71b0269db018ba1f425939c3e865b799cc770bfe4
4894b1549a24e964403565c61faae5f8daf244c90b1fbbd5709ed1a8491d56bf
d61bd67b0150ad77ebfb19100dff890c48db680d089a96a28a630140b9868d86
e22b5062cb5b02987ac32941ebd71872578e9be2b8c6f8679c30e1a84764dba7
f79ed2df72dedf4205d36e70099efad67dad726c32b11ba7b28157e532abb446
1c4643b790c17c1d2ae953b172bbf697898c1a4ae4a8961f23bac950076cd95f
442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024
148e394346c6f50193a47fdeb99bb902b3fd0f92d9171b604d8e311b76e22323
4cc4840b79f7f89db98a69209c30916560eaf4daf5befcb70f9c6f699908bec2
4f87fefc9bf667f1d60e9ac07bdcf91013d609b8222b6d1b2995706f7ece1b07
6e4459199d7fbdc4c215e595906e78fdd1c15ad3be6abed6540b80de17b63f3b
6d2e9c9249cfa6847231ce697f53e0f5d1760db2a942450c47c0c2add6308dbb
45c7c5d62ca2525ac1da111fb3388cb381c24c974eba1ca3681ef07b10ef7b77
3b332273cc839a39aa8d37a6094217e5d6d9bf02ef0e8404cd6b3a4b42489251
b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
8370b5aaf5d21fdfe7052c90b1e6b8fd3e0fa0bc26007badd416b1d4a99bc3cd
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
c40b9b561f3054475f27423f8180c62543cdf12b3b0c1488f1b6b282b33536dd
c25da9f1e12fede333e381c548a90dcc0d348e1f7db5199cdba4cb8d6e2dfcd1
896eccdb80921e092121762ba2dafbe641ea1572018cb0152d9bd8e91ecac762
6c5a6ff90856b456e49ff35b09f4f91e692ba7ae2b798d6befb0bd9947dddbfd
f8f8f413eba06639f768ce96847d9da882c5b81c22cde6c9285dc7aa962ca164
205d2b2ebe59016c12808cf0c73277ce954bc561f7531d0dd7e9661f9685cdd4
f702e92c7e42cb476c16d1231b90e9a1a3cea00f905977dec95160098f1bf7d3
871281136a11f2db9487c8b0b061f5aab9dc7c29f554f9256e37f6093d3788f3
9959e1c41b3339501f3cfe83bd935011373bc0ff0d5517370f25d899c908bb3d
ebd5c12244445e7ef7ee72bb336145d057441d582005e83e6d7978c902de0226
09738056f37414e16a6a90e2c168c8343a7f2bef2767cdc4e2e5c8b2378ca985
dfc4ae71fc60e6546101d2c6b6795067fec6a5184a2ddf568a4f7e748e840bcc
6b96557ff35cdfcf20ae3b10365cb4db386dc6af5e36db908b2bfdefe9e081d0
dc691a5d1102ec098bd796507dd27641629e023ebcd13b14aa4aaadc7c17c975
d4d762e34d115bfa537bd3f961a969b0751e651454034c57193f8847be64725a
bf9bb73d3545be876af2093be203e0b70ce790ede8ff6569bc5b2e6c4d809d97
582c82ca828e5192f221219c978d37798c04ce32c9f79cacb0837624f8674b3c
8a43f9db2ef50873237b8380b85ac16166c8ae7105e54664d72e99c21a80996b
1322158f8ac0becc08648663279883079c4979fe7063e1849c671506ddbce01e
bb2508576dcc843181a88860679681f27debee39dfabfe99e2128d52fe1676a2
f68bec24561e484008cf17397be3484f339bd36629756e610bd4028c949c92e5
5516b8a465ec6dc78752de9f1a8addbcf1deee0bb52e7816ae807554dbb4afe1
0d67b80d3ca799483fc7037ad3a1e5b50cba6315d8c98fd82e4e44270c6fd74a
77a3ae2fffcef7b8d95a83757dd55ce5d0020d46ecc4bbf61a025d9646a29b8b
1b1222281671324ec5967333f4ee9cb5d3b649ca59a909a548c91ca26399aae9
56f54f5c5ebedda6b5b1e6ccb7da150032b34ece1b56612a662ce5ad9a364241
06089152600b091a667febae496c673bfad7e8d2f69d021785736b8b84a6e48e
931e3ec9d8765e3d79909c83ac87e3ff7ed58088d161d431c19951083d50f5b6
8afe0827823a5b044effe9e21af6e8b894f62ec203abe6c010772ab96b2eee88
25aa7d7bd388d56e4c9100db78d3c45f7cd044c3250a042529b5add584e63f08
ab7d1f99e2a948555c06675937ac6e97fc0bc2cac9b4fd06eec6f10ba3233c77
09b5f214d60f039c955036772022509d84f78c70349c9dd918b02750051d0927
9be9b5915aac3f3946fea9327c9495966fe079ee3961d3d549bc30c96a656726
4c65f326e78f01703dc8aab58cdf64b81b32cfd9c3b3de56bd83d70ecc345977
d5d950d9b3d26ba97e9d652716cd11a1c3a253ce119d13ef1ae75cc23f0edea0
df297ad2615681ba98d067d1ebeaeddcedb76a40d9adb2a121780622d11968bc
4d6b7c826b4c936222936f161a2823ad822b8653f0b60cbd3fe467c9be8ab632
00d7fc32137ee39150ac2028cb0771ab86c6a645b2ae18a93c962ba19efe51be
e7e24fd1c2e00d582ff8f1c0ad3dcd0a5ac39e4fafd2884826c98d5c636f39f5
94eda9818b5d1a68789032d5ee9a8a8648cb983019c568e20bffa817ebfc8eb3
b01e7f1eca6b45b94957cb62794f0ea0838042334f03b5b81613361ac359c912
56ba50151d543340990bb30ea0f390c1edef32cbb7b6026f2a727550621b8a7e
260f69e40abbbace9dff6115ef543308257b953a6d8a6ec0357ab270d10d4cd7
f992014855c765aea3a375d9de380714378b86c2c5bdad9d5160fa4644c7e4e1
8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6
698777eaf20e3fe8ce97cecf3be4abb12524ecf274fbf3a47b2a5def56abcd9c
38486560d06eb709b1e631b0c2f2dc8ea6ef4618c25718fb4cfe545ab9ab5dcd
b1e70925d9ea0b5d4e2453addcecaec53eef3ed611454e9fa5afec7be9b8e5f3
0c20292f4bf1598d2106c8a666c17e0e268b52363086229d8c7628c3c8e352da
931e3ec9d8765e3d79909c83ac87e3ff7ed58088d161d431c19951083d50f5b6
ce3ffe33b8ae2e67db88c9d871936c7b51703fe432b1750f064c78b491e0e48c
216.249.104.215
45.142.213.167
iplogger[.]ru
iplogger[.]org
btcxchange[.]online
bad_sysadmin(at)protonmail[.]com
Vsbb(at)firemail[.]cc
Vsbb(at)tutanota[.]com
buratino(at)firemail[.]cc
buratino2(at)tutanota[.]com
ran-unlock(at)protonmail[.]com
ranunlock(at)cock[.]li
buratin(at)torbox3uiot6wchz[.]onion

References:

https://blogs.juniper.net/en-us/threat-research/zeppelin-ransomware-returns-with-a-fresh-wave-of-attacks
https://blogs.blackberry.com/en/2019/12/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe
https://www.bleepingcomputer.com/news/security/zeppelin-ransomware-comes-back-to-life-with-updated-versions/
https://us-cert.cisa.gov/ncas/tips/ST19-001