Zeppelin Ransomware

After a six-month hiatus, the Zeppelin ransomware variant returned in late August, according to Juniper Threats Labs. The malware now uses an updated Trojan downloader to better hide its activities from security tools.

Zeppelin was first spotted in late 2019, when it primarily targeted IT and healthcare firms, according to the report. It’s distributed using the ransomware-as-a-service model.

The ransomware appears to be a variant of another type of crypto-locking malware called Buran, according to Juniper. Buran is a variation of another type of ransomware strain called VegaLocker, according to previous research published by McAfee

In the latest campaign that started in August, the Juniper researchers found that the operators of Zeppelin use the same type of phishing lures as in previous attacks, although they use a new downloader that helps obscure a Trojan for implanting the ransomware code.

Hiding & Attack

A Zeppelin ransomware attack starts when a targeted victim receives a phishing email disguised as an invoice, according to the Juniper report.

The phishing emails are sent with an attached Microsoft Word document, portrayed as an invoice, that hides malicious VBA macros. Once the attachment is opened, the macros are enabled and the initial attack starts, according to the report.

The attached Word document helps obscure what appears to be junk code but actually contains Visual Basic scripts hidden in the text, the report notes. This code is part of an obfuscation technique that helps hide a Trojan that starts the ransomware infection.

Once the malicious macros are enabled, the text is extracted and written to a file at c:wordpressabout1.vbs, according to the report. When the document is closed, a second round of macros runs, which further helps hide the attack.

The second macro string eventually downloads a Trojan that then installs the Zeppelin ransomware within a compromised device. Before it starts working, the malware “sleeps for 26 seconds in an attempt to out-wait dynamic analysis in an automated sandbox and then runs the ransomware executable,” according to the report.

The Juniper report does not shed light on the threat actors behind Zeppelin, but the report and other analyses find that if the ransomware comes across an infected device that has an IP address linked to Russia, Belarus, Kazakhstan or Ukraine, the attack is stopped.

The report notes that it “is difficult to assess how many targeted computers resolved the [command-and-control] domain, but there were only 64 confirmed DNS queries to its authoritative name server, which suggests the attacks might be targeted and not widespread.”

Stringent Policies to defend Network

Security teams may not be able to defend against every new hack or intrusion that crops up, but having strong policies in place is the first step in strengthening corporate defenses.

Intrusion detection policy

Data breaches are a fact of life for all modern companies. Enterprises must reduce cybersecurity risks and at the same time prepare for how to handle an intrusion. 

An enterprise with a clear and concise intrusion detection policy will be ready to react and counteract intrusions into its network. A plan of action will reduce potential damage and protect vital enterprise data. 

This Intrusion detection policy includes advice on how to set up a detection team, define requirements for intrusion detection analysis techniques, and identify systems, applications, and devices to monitor.

Identity theft protection policy

Identity theft is also a common problem for workers and individuals in these days of mobile banking and online healthcare portals. Identity theft can happen on home and corporate networks and cause an array of damage to consumers and businesses alike. Thieves use social security numbers, birth dates, driver license numbers, mother’s maiden names, accounts/passwords, and other personal information to impersonate someone else.

The thieves can open new accounts or access existing ones and engage in fraudulent behavior to the detriment of their victims. Hackers obtain this information through physical theft, unauthorized electronic access, or social engineering.

This Identity theft protection policy provides guidelines for protecting your own personal information and safeguarding employee and customer information. The California Consumer Privacy Act is only the first law that establishes penalties for loss and misuse of personal information. 

Putting a privacy protection plan in place will reduce the risk of losing data in the first place as well as protect your company’s liability under this privacy law.

Mobile device security policy

Mobile devices are just as susceptible to data and security breaches as desktops or laptops.  The same social engineering, phishing, and OS vulnerabilities which plague desktops and laptops are just as applicable to mobile devices.

This Mobile device security policy includes requirements for users, including guidance about: passwords, applications, and downloads.

There are guidelines for IT professionals as well including mobile management advice, available anti-malware software, and user support. 

It’s Blurtooth 💙 Not bluetooth

A vulnerability in the ubiquitous Bluetooth wireless standard could enable hackers to connect to devices remotely in a given area and access users’ applications dubbed Blurtooth

Bluetooth is found in billions of devices worldwide ranging from smartphones to “internet of things” gadgets. In the consumer technology world, it’s commonly used to power short-range connections for tasks such as pairing wireless earbuds with a handset. Bluetooth also supports longer-range data transfer over distances of as much as several hundred feet, a range that hackers could potentially exploit using Blurtooth to launch attacks.

The vulnerability harnesses a weakness in the way Bluetooth verifies the security of connections. Normally, a user must manually approve a connection request before their device is linked to another system, but Blurtooth makes it possible to circumvent this defense.

A hacker can configure a malicious system to impersonate a Bluetooth device that the user had already approved, such as their wireless earbuds, and gain access to the Bluetooth-enabled apps on the user’s machine.

Blurtooth attacks rely on a built-in Bluetooth security feature known as CTKD. Normally, this feature is used to help encrypt connections. Hacker could exploit it to hijack the authentication key of a previously approved device, which is what makes it possible to impersonate legitimate endpoints, and thereby circumvent the need for the user to approve inbound connections.

The limited wireless range of Bluetooth reduces the threat posed by the vulnerability. The two editions of the technology affected, Low Energy and Basic Rate, only support connections over distances of up to 300 or so feet.

The widespread support for those two Bluetooth editions in consumer devices means that a large number of endpoints could potentially be vulnerable.

All devices using Bluetooth versions 4.0 through 5.0 are affected. The newest 5.2 version, which isn’t yet widely adopted, apparently isn’t vulnerable, while the 5.1 release has certain built-in features that device makers can turn on to block Blurtooth attacks.

Prolock Ransomware 🔓 Unlocked

ProLock ransomware were able to deploy a large number of attacks over the past six months, using the standard operating tactic.vaveraging close to one target every day.

Initially started in late 2019, under the name PwndLocker, due to a crypto bug that allowed unlocking the files for free, the operators rebooted the operation with fixing the flaw and renaming the malware to ProLock.

A fresh start in March under the ProLock label also meant increased activity and larger ransoms. Since then, the average figure swelled to $1.8 million.

Simple operation

The threat actor has no preference for its targets or the sector of their activity as long as they are companies with big networks, able to pay a higher ransom. The focus seems to be on businesses in Europe and North America.

The group’s tactics, techniques, and procedures are simple and effective, the partnership with QakBot (QBot) banking trojan allowing them to map the network, move laterally, ultimately deploy the ransomware.

Between the initial compromise and running the file-encryption routine, the actor spends about a month on the network, gathering information for better targeting and exfiltrating data (via Rclone).

Running ProLock on the target network is the last step of the attack, which typically starts with a spear-phishing email containing weaponized VBScripts and Office documents that deliver QakBot, oftentimes via replies in hijacked email threads.

Once on the target host, Qakbot establishes persistence and makes sure that active defenses don’t spot it by modifying Windows Registry to add its binaries on the list of Windows Defender exclusions.

“QakBot also collects a lot of information about the infected host, including the IP address, hostname, domain, and list of installed programs. The threat actor acquires a basic understanding of the network and can plan post-exploitation activities”

With tools like Bloodhound and ADFind, the threat actor profiles the environment to distribute the banking trojan to other hosts on the network. In some cases, this was done manually using PsExec, suggesting a strong connection between ProLock and QakBot operators.

Moving laterally also involved the use of remote desktop (RDP), and when this was not available on a machine, the actor ran the following batch script via PsExec to enable the remote connection:

ProLock’s toolkit includes Mimikatz post-exploitation tool for penetration testers, which is deployed through Cobalt strike software for red team engagements.

The ransomware actor sometimes relies on a vulnerability in Windows (CVE-2019-0859) that enables them to escalate privileges on compromised systems.

The file-encrypting malware lands on the host either via QakBot, downloaded with the Background Intelligent Transfer Service (BITS) from the attacker’s server or by executing a script using Windows Management Instrumentation (WMIC) on a remote host.

Despite using standard tools, ProLock attacks remain largely undetected on the network, giving them time to prepare the file encryption stage and steal data.