New Zeppelin strand avoids AV detection with trojan downloader


A fresh wave of Zeppelin ransomware attacks discovered in late August went undetected by antivirus defenses as the result of a new trojan downloader and research suggests the attacks might be targeted.

The presumably targeted infections were announced in a blog post by Juniper Threat Labs researcher Asher Langton.

“This campaign shows an evolution of the trojan downloader that relies on heavy obfuscation of visual basic code hidden in what seems like random text within the document itself instead of the macro code,” Mounir Hahad, head of Juniper Threat Labs, told SC Media.

As with previous versions, the new Zeppelin executable checks the computer’s language settings and geolocation of the IP address of the potential victim to avoid infecting computers in Russia, Belarus, Kazakhstan and Ukraine.

In late 2019, the ransomware first dubbed as Zeppelin targeted IT and healthcare providers, and was categorized as a variant of the Buran ransomware-as-a-service family.

The new Zeppelin begins with a Microsoft Word document containing a malicious macro, luring the recipient with addition VBA (Visual Basic for Applications) contagions. When the document is closed, a second macro runs.

Juniper detected the new Zeppelin attacks on Aug. 28, which had been using the command-and-control (C2) domain, btcxchange[.]online, registered on June 4, 2020 with Namecheap.

According to the post, the malware has not infected new networks in the past few days, but DNS caching makes it difficult to assess how many targeted computers resolved the C2 domain. “There were only 64 confirmed DNS queries to its authoritative name server, which suggests the attacks might be targeted and not widespread,” Langton wrote.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.