TeamHood 
Certnz has reported that Zeppelin malware is targeting the New Zealand Organizations. The threat actors of Zeppelin is using “ransomware as a service” model to target the organization. Zeppelin was initially reported in the year 2019 and since then it has evloved.
Zeppelin uses phishing emails with a Microsoft Word document to compromise users and their systems.
Zeppelin uses following method to evade detection
- Enable editing when opening the file, and running a macro that extracts the malicious code to disk.
- Running the extracted code when the file is closed
- The extracted code will sleep for 26 seconds before running malicious code in an attempt to bypass security controls e.g. Sandbox.
- Check the device location using geoIP and device language to selectively infect devices.
Zeppelin uses following domains as a cnc server
- iplogger.ru
- iplogger.org
- btxchange.online
The following registries are also impacted by the Zepplin
HKCU\Software\Zeppelin\HKCU\Software\Zeppelin\<Paths registry key>
It was not yet established that which all organizations are targeted by these malware but it is suspected that Zeppelin is actively targeting the healthcare industry.
The ransomware attacks are on the rise globally specially at the time of pandemic. They are actively targeting the Healthcare and critical pharma infrastructure to extort ransomware.
The recent attack on colonial pipeline in US is also another example of Ransomware As A Service where the attackers are trying to create service disruption due to which we have seen that there is a substantial increase in the Gas prices.
