FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
mrobson
Staff
Staff

Introduction

On 11 Aug CISA released an advisory[1] that provided information on observed IOCs and mitigations associated with recent intrusions that incorporated Zeppelin ransomware. Zeppelin ransomware is a ransomware family operated through the Ransomware as a service (RaaS) model. The ransomware service has operated since at least 2019 under various names, previous iterations of the ransomware family include VegaLocker, Storm and Buran.

 

Given this ransomware is operated through RaaS there are number of affiliates and financially motivated actors employing it as part of their intrusions. This will result in a large variation in TTPs employed as part of intrusions prior to deployment of Zeppelin ransomware itself. This can be observed in CISAs reporting with three reported initial access techniques; T1133 - Exploit External Remote Services, T1190 - Exploit Public-Facing Application and T1566 - Phishing.

 

The purpose of this article is to highlight how FortiEDR is able to detect and mitigate the execution of Zeppelin ransomware. Given the diverse range of possible attack chains that have been used to deploy this ransomware, this article will focus solely on execution of the ransomware sample itself rather than full kill chain mitigations offered by FortiEDR associated with the whole Zeppelin intrusion.

 

Execution Analysis

The analyzed Zeppelin ransomware (‘explorer.exe’ – SHA1: 9f4077164fe67ce25d0e64e4bd5e1ab6c95695de) is a Delphi based executable. The executable was named ‘explorer.exe’, likely in an attempt to avoid immediate suspicion. Analysis across various samples did not identify any definitive consistencies in metadata or file characteristics that could be used to support metadata based hunting but numerous samples were observed with names matching standard Windows executables.

 

mrobson_0-1666766010563.png

Figure 1. File information associated with analyzed Zeppelin executable.

 

For the purpose of simulating how FortiEDR detects and protects against this threat the Zeppelin sample was executed in a controlled environment in ‘Simulation’ mode. This allows us to observe behavior of the sample at the various stages of execution/operation without impediment. During testing the Zeppelin sample raised a number of security events throughout its execution and subsequent encryption activities. The first event FortiEDR created was for a malicious File Read. FortiEDR incorporated FortiGuard Threat Intel signatures as part of its pre-execution prevention policy. In this case the file hash of the analyzed sample was identified as malicious. In ‘Protect’ mode FortiEDR would have prevented execution of the sample. The related event as seen in the FortiEDR console is shown below in Figure 2.

 

mrobson_1-1666766010572.png

Figure 2. File Read attempt of malicious Zeppelin ransomware sample detected by FortiEDR Execution Prevention policy.

 

On execution the main Zeppelin executable makes a copy of itself called ‘taskeng.exe’ in the ‘%AppData%\Roaming\Microsoft\Windows\’ directory and then creates an instance of the copied executable with the command line arguments ‘-start’. The creation of this file copy is detected and mitigated by FortiEDR due to the previously highlighted signature much but also the suspicious entry point of the main Zeppelin executable which triggers the ‘Executable Format - Bad Executable File Format’ rule. We can see in Figure 3 below, the entry point for the executable ‘explorer.exe’ is within the ‘.itext’ resource.

 

mrobson_2-1666766010576.png

Figure 3. The explorer.exe executable has an anomalous entry point which is flagged as suspicious by FortiEDR. This characteristic will allow FortiEDR to detect future iterations of this ransomware family.

 

mrobson_3-1666766010585.png

Figure 4. Main Zeppelin executable creates a called ‘taskeng.exe’ at the ‘%AppData%\Roaming\Microsoft\Windows\’ directory if not already there. Once the copy has been created it is executed by the original executable.

 

It should be noted that as the file hash of the executable was modified, the name of the copy also changed. This name changing functionality was fuzzed by appending random bytes to the file before execution and a number of possible filenames for the copy were identified as shown in Table 1 below. The file path was always consistent for these file copies so detecting file creation events for executables with these names should provide a solid detection opportunity.

 

Zeppelin Filename

File Path

taskeng.exe

%AppData%\Roaming\Microsoft\Windows\

svchost.exe

%AppData%\Roaming\Microsoft\Windows\

csrss.exe

%AppData%\Roaming\Microsoft\Windows\

smss.exe

%AppData%\Roaming\Microsoft\Windows\

explorer.exe

%AppData%\Roaming\Microsoft\Windows\

Table 1. Observed filenames for the copy of Zeppelin ransomware written to the ‘%AppData%\Roaming\Microsoft\Windows\’ directory.

 

Once created, the copy is executed and begins preparing for encryption operations. As part of these preparations the ransomware will create a registry key ‘HKCU\Software\Zeppelin’ and a number of subkeys and values that contain encryption keys and information used to support the encryption process. This information is likely loaded into the registry to avoid inadvertently encrypting them whilst the ransomware encrypts the file system. Modification of the registry to include these values is detected by FortiEDR as a ‘Modify OS Settings’ event and would be mitigated in ‘Prevention’ mode. FortiEDR automatic playbooks could also be employed to remove this registry change. Figure 5 below shows the related security event generated from the behavior highlighted above.

 

mrobson_4-1666766010596.png

Figure 5. Main Zeppelin executable launches copy of executable (taskeng.exe) which then begins to modify the registry by adding a private key that will be later used for encryption.

 

As well as the above registry operations, the main Zeppelin executable will create an entry in the ‘HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ key with the value ‘<victim user AppData>\Roaming\Microsoft\Windows\taskeng.exe -start’. This is a persistence technique (T1547.001[2]) that will cause the ransomware to execute when the user next logs in. This registry change can be seen in FortiEDR Threat Hunting data as shown in Figure 6 below.

 

mrobson_5-1666766010603.png

Figure 6. Zeppelin ransomware establishes persistence by creating a run key in the victim user’s profile. This can be detected by searching for this particular MITRE technique ID through FortiEDR Threat Hunting data.

 

As part of its encryption preparation the Zeppelin ransomware copy will attempt to connect to any SMB shares accessible from the compromised host. In the case of this analysis environment no SMB shares were connected for the sample to encrypt but FortiEDR identified the ‘Network Access’ attempt to ‘smb://’ and created a corresponding security event. In the event that a compromised endpoint was affected by Zeppelin malware, FortiEDR will block these network connection attempts preventing encryption of files on remote shares. The FortiEDR security event related to this behavior can be seen below in Figure 7.

 

mrobson_6-1666766010612.png

Figure 7. FortiEDR security event generated when the ‘taskeng.exe’ executable (Zeppelin ransomware) attempts to access the ‘smb://’ share to encrypt remote files.

 

Once the main Zeppelin executable (explorer.exe) created the copy of itself and the related persistence, it deletes itself, likely for the purposes of defense evasion (T1070.004[3]). To delete its executable, the related process spawns an instance of the notepad.exe executable in the suspended state and performs process hollowing (T1055.012[4]). This hollowed process is then resumed and then proceeds to delete the fake ‘explorer.exe’ executable from disk. FortiEDR detects and mitigates this process hollowing and file deletion activity as shown below in Figure 8.

 

 

mrobson_7-1666766010623.png

Figure 8. The main Zeppelin executable spawns an instance of notepad.exe and performs process hollowing. The hollowed notepad process then deletes the main Zeppelin executable ‘explorer.exe’.

 

Following the above, the ‘taskeng.exe’ process that was launched with the ‘-start’ command line argument begins the encryption process. To encrypt the files this ransomware variant spawns a number of instances of itself with the command line arguments ‘-agent <number>’ where number starts at 0. This indicates the ransomware utilizes threading through these child processes to more quickly encrypt the victim endpoint. Files are encrypted directly and then renamed with an additional file extension appended to the end of the filename. Earlier versions of the Zeppelin ransomware appended the ‘.zeppelin’ file extension but in the case of newer samples (like the sample above) the file extension is randomized per infection in the form if <3 random hex chars>-<3 random hex chars>-<3 random hex chars>, e.g. DCF-640-CF9.

FortiEDR detects and mitigates this encryption activity through the Ransomware Protection security policy and its ‘File Encryptor’ rule. In protect mode this rule will prevent the file encryption process therefore protecting the integrity of the files. This detection activity can be observed in Figure 9 below.

 

mrobson_8-1666766010632.png

Figure 9. The ‘taskeng.exe’ executable then began encrypting files on the target endpoint. This triggered the ‘File Encryptor’ rule in the Ransomware Protection security policy and raised a ‘File Rename’ event. Note the high RDI count (16479) indicating there are 16479 file rename events that match this rule.

 

As with most ransomware variants, once a folder has been encrypted the ransomware drops a ransom note in each affected folder. In the case of Zeppelin the ransom note name is ‘!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT’ – contents of the ransom note can be seen below in Figure 10. FortiEDR detects the file create operations associated with this behavior as part of the Ransomware Protection policy as shown below in Figure 11.

 

mrobson_9-1666766010641.png

Figure 10. Zeppelin ransom note dropped in all directories containing a file that was encrypted.

 

 

mrobson_10-1666766010651.png

Figure 11. Following encrypting files in each folder the ‘taskeng.exe’ malicious executable will create a ransomware note in each folder where a file was encrypted. This behavior creates a ‘File Creation’ event.

 

As well as encrypting files on the endpoint the Zeppelin ransomware executable will also spawn a number of cmd.exe processes to delete volume shadow copies, delete backups through wbadmin and disable automatic backups. These are common activities performed by ransomware on execution to inhibit system recovery (T1490[5]). Figure 12 below shows Process Creation events collected by FortiEDR Threat Hunting showing the spawned child processes and their command line arguments. Note; whilst this can be a reliable detection of ransomware execution, detection at this stage of execution likely indicates that the victim has already been encrypted. This information has been included for completeness and defenders should look for indicators earlier in the intrusion for proactive indicators to search for to mitigate this threat.

 

mrobson_11-1666766010666.png

Figure 12. FortiEDR Threat Hunting Process Creation events related to cmd processes used to inhibit system recovery of a targeted endpoint. These commands are not unique to Zeppelin ransomware.

 

Conclusion

Since the release of the CISA advisory in August Zeppelin ransomware has continued to be identified in intrusions across the globe and continues to pose a threat to unprotected organizations. As highlighted in this article FortiEDR provides strong protection against this ransomware’s behavior ensuring the integrity of data on protected endpoints. In addition to the standard protections offered by FortiEDR’s security policies, FortiEDR Threat Hunting can be used to identify Zeppelin specific indicators and quickly add context to alerts to support efficient event triage. Some FortiEDR Threat Hunting queries have been provided below to assist with detecting some of these indicators.

 

Threat Hunting

The following query will return File Create events for files with the ‘exe’ file extension that have been created in the "%AppData%\Roaming\Microsoft\Windows\" directory and the filename matches observed filenames for Zeppelin ransomware. This will detect the creation of copies of the Zeppelin executable created on execution (matching the behavior of taskeng.exe in the above analysis). This query may miss new variants where the name of the copied executable does not match any of the names in Table 1 above. Minimal false positive rate for malicious activity but the use of this directory as a staging directory for malware is not unique to Zeppelin ransomware so other malicious activity may be observed with this query.

Type:"File Create" AND Target.File.Ext:"exe" AND Target.File.Path:"\\AppData\\Roaming\\Microsoft\\Windows\\" AND Target.File.Name:("explorer.exe" OR "csrss.exe" OR "smss.exe" OR "taskeng.exe" OR "svchost.exe")

The following query will return Process Creation events for files with filename matching those in Table 1 with the command line argument ‘-start’. This behavior is indicative of the Zepplin malware beginning its encryption. No observed false positives associated with this query.

Type:"Process Creation" AND Target.Process.File.Path:"\\AppData\\Roaming\\Microsoft\\Windows\\" AND Target.Process.File.Name:("explorer.exe" OR "csrss.exe" OR "smss.exe" OR "taskeng.exe" OR "svchost.exe") AND Target.Process.CommandLine:"-start"

The following query will return Process Creation events for files with filename matching those in Table 1 with the command line argument ‘-agent’. This behavior is indicative of a Zeppelin ransomware process spawning child processes to perform encryption of files on an endpoint. No observed false positives associated with this query.

Type:"Process Creation" AND Target.Process.File.Path:"\\AppData\\Roaming\\Microsoft\\Windows\\" AND Target.Process.File.Name:("explorer.exe" OR "csrss.exe" OR "smss.exe" OR "taskeng.exe" OR "svchost.exe") AND Target.Process.CommandLine:"-agent"

The following two queries will identify Process Creation or Executable Loaded events matching known hashes for Zeppelin ransomware samples identified in the IOCs section of this article. No identified false positives.

Type:"Process Creation" AND Target.Process.File.SHA1:("9f4077164fe67ce25d0e64e4bd5e1ab6c95695de" OR "bcccb9f5a28079ccbec6c1cc90b35d96f13acde3" OR "e3e6af9e1be25f86a892018f35876b48b31dcc6c" OR "891a7342374d966cf9cb518c41c18fa16b628a65" OR "6c830eed04570ba8f8873cba3f61ca568f7b9535" OR "3ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2" OR "eb90f945087c270a2ecc11753180ba4ecc270696" OR "325b91c74025c5b5906afdbcbf04558a7b7907e9" OR "b016d45ee46c0579f315362be2dc69703e986cae")

Type:"Executable Loaded" AND Target.Executable.File.SHA1:("9f4077164fe67ce25d0e64e4bd5e1ab6c95695de" OR "bcccb9f5a28079ccbec6c1cc90b35d96f13acde3" OR "e3e6af9e1be25f86a892018f35876b48b31dcc6c" OR "891a7342374d966cf9cb518c41c18fa16b628a65" OR "6c830eed04570ba8f8873cba3f61ca568f7b9535" OR "3ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2" OR "eb90f945087c270a2ecc11753180ba4ecc270696" OR "325b91c74025c5b5906afdbcbf04558a7b7907e9" OR "b016d45ee46c0579f315362be2dc69703e986cae")

The following query will identify registry Value Created events for Windows run keys that point to the "%AppData%\Roaming\Microsoft\Windows\" directory and contain the string ‘-start’. This is indicative of Zeppelin ransomware establishing persistence through the registry. There is a low chance of false positives but false positives may occur where legitimate software installs key executables launched at startup in a user’s “%AppData%” folder. These rare false positives should be filtered out at a per-environment basis as part of query tuning.

Type:"Value Created" AND Registry.Path: ("HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") AND Registry.Data:("\\AppData\\Roaming\\Microsoft\\Windows\\" AND "-start")

The following simple query will identify File Creation events for temp files with the “zeppelin” file extension created as part of the malware’s execution. These temporary files are created early in the execution and are good indicators as they explicitly name the malware family. This is not an official file extension for any current software so the false positive rate is expected to be low.

Type:"File Create" AND Target.File.Ext:"zeppelin"

The following query will identify Thread Created events where the target is notepad with no command line arguments and the source process is not signed. Returned events are indicative of the process hollowing behavior exhibited by Zeppelin where it hollows a notepad process to delete it’s on-disk executable. This query has a very low false positive rate as the thread created event indicates a process has created a thread outside its own process and there is minimal reason for any process to perform this type of operation on a notepad process.

Type:"Thread Created" AND Target.Process.Name:"notepad.exe" NOT Source.Process.File.Signed:true NOT _exists_:Target.Process.CommandLine

 

MITRE ATT&CK

TA0003 - Persistence

 Technique ID

Technique Description

Observed Activity

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder

Zeppelin ransomware creates a copy of itself in the “%AppData%\Roaming\Microsoft\Windows\” directory and then creates a run key ("HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") to execute when an endpoint starts. The name of the executable will match one of the executable names in Table 1 but the path is consistent. The executable will be deleted on execution.

 

TA0005 – Defense Evasion

 Technique ID

Technique Description

Observed Activity

T1036.005

Masquerading: Match Legitimate Name or Location

On execution Zeppelin ransomware detects whether it is in the AppData folder. If not, it creates a copy of itself to this directory (%AppData%\Roaming\Microsoft\Windows\) and the copy is named after a standard Windows binary from the list in Table 1 (above). This is likely to avoid immediate detection if an analyst only uses process name rather than more robust indicators.

 

 Technique ID

Technique Description

Observed Activity

T1055.012

Process Injection: Process Hollowing

Zeppelin ransomware spawns a notepad.exe process in the suspended state and then hollows it and injects with a simple payload. This simple payload deletes the Zeppelin executable. This injection is likely done as a form of proxy execution as a notepad process deleting a file would not be considered abnormal activity.

 

 Technique ID

Technique Description

Observed Activity

T1070.004

Indicator Removal on Host: File Deletion

The process hollowed notepad process created by the Zeppelin ransomware on execution is used to delete the original Zeppelin ransomware executable. This deletion is likely to inhibit analysis of the executable in a subsequent investigation.

 

TA0040 - Impact

 Technique ID

Technique Description

Observed Activity

T1468

Data Encrypted for Impact

Zeppelin ransomware encrypts files on the victim endpoint by first overwriting their contents with encrypted content then renaming them with the new file extension. Zeppelin ransomware also attempts to encrypt files on network connected file shares.

 

 

IOCs

 

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

First Observed

Zeppelin sample

9f4077164fe67ce25d0e64e4bd5e1ab6c95695de

SHA1 Hash

Actions on Objectives

Zeppelin ransomware sample analyzed in this article. Appends random file extension per analysis above.

2022-08-28

Zeppelin sample

bcccb9f5a28079ccbec6c1cc90b35d96f13acde3

SHA1 Hash

Actions on Objectives

Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above.

2022-10-14

Zeppelin sample

e3e6af9e1be25f86a892018f35876b48b31dcc6c

SHA1 Hash

Actions on Objectives

Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above.

2022-10-12

Zeppelin sample

891a7342374d966cf9cb518c41c18fa16b628a65

SHA1 Hash

Actions on Objectives

Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above.

2022-10-04

Zeppelin sample

6c830eed04570ba8f8873cba3f61ca568f7b9535

SHA1 Hash

Actions on Objectives

Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above.

2022-10-01

Zeppelin sample

3ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2

SHA1 Hash

Actions on Objectives

Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above.

2022-09-26

Zeppelin sample

eb90f945087c270a2ecc11753180ba4ecc270696

SHA1 Hash

Actions on Objectives

Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above.

2022-09-21

Zeppelin sample

325b91c74025c5b5906afdbcbf04558a7b7907e9

SHA1 Hash

Actions on Objectives

Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above.

2022-09-12

Zeppelin sample

b016d45ee46c0579f315362be2dc69703e986cae

SHA1 Hash

Actions on Objectives

Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above.

2022-09-04

 

 

[1] https://www.cisa.gov/uscert/ncas/alerts/aa22-223a

[2] https://attack.mitre.org/techniques/T1547/001

[3] https://attack.mitre.org/techniques/T1070/004

[4] https://attack.mitre.org/techniques/T1055/012

[5] https://attack.mitre.org/techniques/T1490

Contributors