On 11 Aug CISA released an advisory[1] that provided information on observed IOCs and mitigations associated with recent intrusions that incorporated Zeppelin ransomware. Zeppelin ransomware is a ransomware family operated through the Ransomware as a service (RaaS) model. The ransomware service has operated since at least 2019 under various names, previous iterations of the ransomware family include VegaLocker, Storm and Buran.
Given this ransomware is operated through RaaS there are number of affiliates and financially motivated actors employing it as part of their intrusions. This will result in a large variation in TTPs employed as part of intrusions prior to deployment of Zeppelin ransomware itself. This can be observed in CISAs reporting with three reported initial access techniques; T1133 - Exploit External Remote Services, T1190 - Exploit Public-Facing Application and T1566 - Phishing.
The purpose of this article is to highlight how FortiEDR is able to detect and mitigate the execution of Zeppelin ransomware. Given the diverse range of possible attack chains that have been used to deploy this ransomware, this article will focus solely on execution of the ransomware sample itself rather than full kill chain mitigations offered by FortiEDR associated with the whole Zeppelin intrusion.
The analyzed Zeppelin ransomware (‘explorer.exe’ – SHA1: 9f4077164fe67ce25d0e64e4bd5e1ab6c95695de) is a Delphi based executable. The executable was named ‘explorer.exe’, likely in an attempt to avoid immediate suspicion. Analysis across various samples did not identify any definitive consistencies in metadata or file characteristics that could be used to support metadata based hunting but numerous samples were observed with names matching standard Windows executables.
Figure 1. File information associated with analyzed Zeppelin executable.
For the purpose of simulating how FortiEDR detects and protects against this threat the Zeppelin sample was executed in a controlled environment in ‘Simulation’ mode. This allows us to observe behavior of the sample at the various stages of execution/operation without impediment. During testing the Zeppelin sample raised a number of security events throughout its execution and subsequent encryption activities. The first event FortiEDR created was for a malicious File Read. FortiEDR incorporated FortiGuard Threat Intel signatures as part of its pre-execution prevention policy. In this case the file hash of the analyzed sample was identified as malicious. In ‘Protect’ mode FortiEDR would have prevented execution of the sample. The related event as seen in the FortiEDR console is shown below in Figure 2.
Figure 2. File Read attempt of malicious Zeppelin ransomware sample detected by FortiEDR Execution Prevention policy.
On execution the main Zeppelin executable makes a copy of itself called ‘taskeng.exe’ in the ‘%AppData%\Roaming\Microsoft\Windows\’ directory and then creates an instance of the copied executable with the command line arguments ‘-start’. The creation of this file copy is detected and mitigated by FortiEDR due to the previously highlighted signature much but also the suspicious entry point of the main Zeppelin executable which triggers the ‘Executable Format - Bad Executable File Format’ rule. We can see in Figure 3 below, the entry point for the executable ‘explorer.exe’ is within the ‘.itext’ resource.
Figure 3. The explorer.exe executable has an anomalous entry point which is flagged as suspicious by FortiEDR. This characteristic will allow FortiEDR to detect future iterations of this ransomware family.
Figure 4. Main Zeppelin executable creates a called ‘taskeng.exe’ at the ‘%AppData%\Roaming\Microsoft\Windows\’ directory if not already there. Once the copy has been created it is executed by the original executable.
It should be noted that as the file hash of the executable was modified, the name of the copy also changed. This name changing functionality was fuzzed by appending random bytes to the file before execution and a number of possible filenames for the copy were identified as shown in Table 1 below. The file path was always consistent for these file copies so detecting file creation events for executables with these names should provide a solid detection opportunity.
Zeppelin Filename |
File Path |
taskeng.exe |
%AppData%\Roaming\Microsoft\Windows\ |
svchost.exe |
%AppData%\Roaming\Microsoft\Windows\ |
csrss.exe |
%AppData%\Roaming\Microsoft\Windows\ |
smss.exe |
%AppData%\Roaming\Microsoft\Windows\ |
explorer.exe |
%AppData%\Roaming\Microsoft\Windows\ |
Table 1. Observed filenames for the copy of Zeppelin ransomware written to the ‘%AppData%\Roaming\Microsoft\Windows\’ directory.
Once created, the copy is executed and begins preparing for encryption operations. As part of these preparations the ransomware will create a registry key ‘HKCU\Software\Zeppelin’ and a number of subkeys and values that contain encryption keys and information used to support the encryption process. This information is likely loaded into the registry to avoid inadvertently encrypting them whilst the ransomware encrypts the file system. Modification of the registry to include these values is detected by FortiEDR as a ‘Modify OS Settings’ event and would be mitigated in ‘Prevention’ mode. FortiEDR automatic playbooks could also be employed to remove this registry change. Figure 5 below shows the related security event generated from the behavior highlighted above.
Figure 5. Main Zeppelin executable launches copy of executable (taskeng.exe) which then begins to modify the registry by adding a private key that will be later used for encryption.
As well as the above registry operations, the main Zeppelin executable will create an entry in the ‘HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ key with the value ‘<victim user AppData>\Roaming\Microsoft\Windows\taskeng.exe -start’. This is a persistence technique (T1547.001[2]) that will cause the ransomware to execute when the user next logs in. This registry change can be seen in FortiEDR Threat Hunting data as shown in Figure 6 below.
Figure 6. Zeppelin ransomware establishes persistence by creating a run key in the victim user’s profile. This can be detected by searching for this particular MITRE technique ID through FortiEDR Threat Hunting data.
As part of its encryption preparation the Zeppelin ransomware copy will attempt to connect to any SMB shares accessible from the compromised host. In the case of this analysis environment no SMB shares were connected for the sample to encrypt but FortiEDR identified the ‘Network Access’ attempt to ‘smb://’ and created a corresponding security event. In the event that a compromised endpoint was affected by Zeppelin malware, FortiEDR will block these network connection attempts preventing encryption of files on remote shares. The FortiEDR security event related to this behavior can be seen below in Figure 7.
Figure 7. FortiEDR security event generated when the ‘taskeng.exe’ executable (Zeppelin ransomware) attempts to access the ‘smb://’ share to encrypt remote files.
Once the main Zeppelin executable (explorer.exe) created the copy of itself and the related persistence, it deletes itself, likely for the purposes of defense evasion (T1070.004[3]). To delete its executable, the related process spawns an instance of the notepad.exe executable in the suspended state and performs process hollowing (T1055.012[4]). This hollowed process is then resumed and then proceeds to delete the fake ‘explorer.exe’ executable from disk. FortiEDR detects and mitigates this process hollowing and file deletion activity as shown below in Figure 8.
Figure 8. The main Zeppelin executable spawns an instance of notepad.exe and performs process hollowing. The hollowed notepad process then deletes the main Zeppelin executable ‘explorer.exe’.
Following the above, the ‘taskeng.exe’ process that was launched with the ‘-start’ command line argument begins the encryption process. To encrypt the files this ransomware variant spawns a number of instances of itself with the command line arguments ‘-agent <number>’ where number starts at 0. This indicates the ransomware utilizes threading through these child processes to more quickly encrypt the victim endpoint. Files are encrypted directly and then renamed with an additional file extension appended to the end of the filename. Earlier versions of the Zeppelin ransomware appended the ‘.zeppelin’ file extension but in the case of newer samples (like the sample above) the file extension is randomized per infection in the form if <3 random hex chars>-<3 random hex chars>-<3 random hex chars>, e.g. DCF-640-CF9.
FortiEDR detects and mitigates this encryption activity through the Ransomware Protection security policy and its ‘File Encryptor’ rule. In protect mode this rule will prevent the file encryption process therefore protecting the integrity of the files. This detection activity can be observed in Figure 9 below.
Figure 9. The ‘taskeng.exe’ executable then began encrypting files on the target endpoint. This triggered the ‘File Encryptor’ rule in the Ransomware Protection security policy and raised a ‘File Rename’ event. Note the high RDI count (16479) indicating there are 16479 file rename events that match this rule.
As with most ransomware variants, once a folder has been encrypted the ransomware drops a ransom note in each affected folder. In the case of Zeppelin the ransom note name is ‘!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT’ – contents of the ransom note can be seen below in Figure 10. FortiEDR detects the file create operations associated with this behavior as part of the Ransomware Protection policy as shown below in Figure 11.
Figure 10. Zeppelin ransom note dropped in all directories containing a file that was encrypted.
Figure 11. Following encrypting files in each folder the ‘taskeng.exe’ malicious executable will create a ransomware note in each folder where a file was encrypted. This behavior creates a ‘File Creation’ event.
As well as encrypting files on the endpoint the Zeppelin ransomware executable will also spawn a number of cmd.exe processes to delete volume shadow copies, delete backups through wbadmin and disable automatic backups. These are common activities performed by ransomware on execution to inhibit system recovery (T1490[5]). Figure 12 below shows Process Creation events collected by FortiEDR Threat Hunting showing the spawned child processes and their command line arguments. Note; whilst this can be a reliable detection of ransomware execution, detection at this stage of execution likely indicates that the victim has already been encrypted. This information has been included for completeness and defenders should look for indicators earlier in the intrusion for proactive indicators to search for to mitigate this threat.
Figure 12. FortiEDR Threat Hunting Process Creation events related to cmd processes used to inhibit system recovery of a targeted endpoint. These commands are not unique to Zeppelin ransomware.
Since the release of the CISA advisory in August Zeppelin ransomware has continued to be identified in intrusions across the globe and continues to pose a threat to unprotected organizations. As highlighted in this article FortiEDR provides strong protection against this ransomware’s behavior ensuring the integrity of data on protected endpoints. In addition to the standard protections offered by FortiEDR’s security policies, FortiEDR Threat Hunting can be used to identify Zeppelin specific indicators and quickly add context to alerts to support efficient event triage. Some FortiEDR Threat Hunting queries have been provided below to assist with detecting some of these indicators.
The following query will return File Create events for files with the ‘exe’ file extension that have been created in the "%AppData%\Roaming\Microsoft\Windows\" directory and the filename matches observed filenames for Zeppelin ransomware. This will detect the creation of copies of the Zeppelin executable created on execution (matching the behavior of taskeng.exe in the above analysis). This query may miss new variants where the name of the copied executable does not match any of the names in Table 1 above. Minimal false positive rate for malicious activity but the use of this directory as a staging directory for malware is not unique to Zeppelin ransomware so other malicious activity may be observed with this query.
Type:"File Create" AND Target.File.Ext:"exe" AND Target.File.Path:"\\AppData\\Roaming\\Microsoft\\Windows\\" AND Target.File.Name:("explorer.exe" OR "csrss.exe" OR "smss.exe" OR "taskeng.exe" OR "svchost.exe")
The following query will return Process Creation events for files with filename matching those in Table 1 with the command line argument ‘-start’. This behavior is indicative of the Zepplin malware beginning its encryption. No observed false positives associated with this query.
Type:"Process Creation" AND Target.Process.File.Path:"\\AppData\\Roaming\\Microsoft\\Windows\\" AND Target.Process.File.Name:("explorer.exe" OR "csrss.exe" OR "smss.exe" OR "taskeng.exe" OR "svchost.exe") AND Target.Process.CommandLine:"-start"
The following query will return Process Creation events for files with filename matching those in Table 1 with the command line argument ‘-agent’. This behavior is indicative of a Zeppelin ransomware process spawning child processes to perform encryption of files on an endpoint. No observed false positives associated with this query.
Type:"Process Creation" AND Target.Process.File.Path:"\\AppData\\Roaming\\Microsoft\\Windows\\" AND Target.Process.File.Name:("explorer.exe" OR "csrss.exe" OR "smss.exe" OR "taskeng.exe" OR "svchost.exe") AND Target.Process.CommandLine:"-agent"
The following two queries will identify Process Creation or Executable Loaded events matching known hashes for Zeppelin ransomware samples identified in the IOCs section of this article. No identified false positives.
Type:"Process Creation" AND Target.Process.File.SHA1:("9f4077164fe67ce25d0e64e4bd5e1ab6c95695de" OR "bcccb9f5a28079ccbec6c1cc90b35d96f13acde3" OR "e3e6af9e1be25f86a892018f35876b48b31dcc6c" OR "891a7342374d966cf9cb518c41c18fa16b628a65" OR "6c830eed04570ba8f8873cba3f61ca568f7b9535" OR "3ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2" OR "eb90f945087c270a2ecc11753180ba4ecc270696" OR "325b91c74025c5b5906afdbcbf04558a7b7907e9" OR "b016d45ee46c0579f315362be2dc69703e986cae")
Type:"Executable Loaded" AND Target.Executable.File.SHA1:("9f4077164fe67ce25d0e64e4bd5e1ab6c95695de" OR "bcccb9f5a28079ccbec6c1cc90b35d96f13acde3" OR "e3e6af9e1be25f86a892018f35876b48b31dcc6c" OR "891a7342374d966cf9cb518c41c18fa16b628a65" OR "6c830eed04570ba8f8873cba3f61ca568f7b9535" OR "3ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2" OR "eb90f945087c270a2ecc11753180ba4ecc270696" OR "325b91c74025c5b5906afdbcbf04558a7b7907e9" OR "b016d45ee46c0579f315362be2dc69703e986cae")
The following query will identify registry Value Created events for Windows run keys that point to the "%AppData%\Roaming\Microsoft\Windows\" directory and contain the string ‘-start’. This is indicative of Zeppelin ransomware establishing persistence through the registry. There is a low chance of false positives but false positives may occur where legitimate software installs key executables launched at startup in a user’s “%AppData%” folder. These rare false positives should be filtered out at a per-environment basis as part of query tuning.
Type:"Value Created" AND Registry.Path: ("HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") AND Registry.Data:("\\AppData\\Roaming\\Microsoft\\Windows\\" AND "-start")
The following simple query will identify File Creation events for temp files with the “zeppelin” file extension created as part of the malware’s execution. These temporary files are created early in the execution and are good indicators as they explicitly name the malware family. This is not an official file extension for any current software so the false positive rate is expected to be low.
Type:"File Create" AND Target.File.Ext:"zeppelin"
The following query will identify Thread Created events where the target is notepad with no command line arguments and the source process is not signed. Returned events are indicative of the process hollowing behavior exhibited by Zeppelin where it hollows a notepad process to delete it’s on-disk executable. This query has a very low false positive rate as the thread created event indicates a process has created a thread outside its own process and there is minimal reason for any process to perform this type of operation on a notepad process.
Type:"Thread Created" AND Target.Process.Name:"notepad.exe" NOT Source.Process.File.Signed:true NOT _exists_:Target.Process.CommandLine
TA0003 - Persistence
Technique ID |
Technique Description |
Observed Activity |
T1547.001 |
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder |
Zeppelin ransomware creates a copy of itself in the “%AppData%\Roaming\Microsoft\Windows\” directory and then creates a run key ("HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") to execute when an endpoint starts. The name of the executable will match one of the executable names in Table 1 but the path is consistent. The executable will be deleted on execution. |
TA0005 – Defense Evasion
Technique ID |
Technique Description |
Observed Activity |
T1036.005 |
Masquerading: Match Legitimate Name or Location |
On execution Zeppelin ransomware detects whether it is in the AppData folder. If not, it creates a copy of itself to this directory (%AppData%\Roaming\Microsoft\Windows\) and the copy is named after a standard Windows binary from the list in Table 1 (above). This is likely to avoid immediate detection if an analyst only uses process name rather than more robust indicators. |
Technique ID |
Technique Description |
Observed Activity |
T1055.012 |
Process Injection: Process Hollowing |
Zeppelin ransomware spawns a notepad.exe process in the suspended state and then hollows it and injects with a simple payload. This simple payload deletes the Zeppelin executable. This injection is likely done as a form of proxy execution as a notepad process deleting a file would not be considered abnormal activity. |
Technique ID |
Technique Description |
Observed Activity |
T1070.004 |
Indicator Removal on Host: File Deletion |
The process hollowed notepad process created by the Zeppelin ransomware on execution is used to delete the original Zeppelin ransomware executable. This deletion is likely to inhibit analysis of the executable in a subsequent investigation. |
TA0040 - Impact
Technique ID |
Technique Description |
Observed Activity |
T1468 |
Data Encrypted for Impact |
Zeppelin ransomware encrypts files on the victim endpoint by first overwriting their contents with encrypted content then renaming them with the new file extension. Zeppelin ransomware also attempts to encrypt files on network connected file shares. |
IOCs
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
Zeppelin sample |
9f4077164fe67ce25d0e64e4bd5e1ab6c95695de |
SHA1 Hash |
Actions on Objectives |
Zeppelin ransomware sample analyzed in this article. Appends random file extension per analysis above. |
2022-08-28 |
Zeppelin sample |
bcccb9f5a28079ccbec6c1cc90b35d96f13acde3 |
SHA1 Hash |
Actions on Objectives |
Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above. |
2022-10-14 |
Zeppelin sample |
e3e6af9e1be25f86a892018f35876b48b31dcc6c |
SHA1 Hash |
Actions on Objectives |
Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above. |
2022-10-12 |
Zeppelin sample |
891a7342374d966cf9cb518c41c18fa16b628a65 |
SHA1 Hash |
Actions on Objectives |
Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above. |
2022-10-04 |
Zeppelin sample |
6c830eed04570ba8f8873cba3f61ca568f7b9535 |
SHA1 Hash |
Actions on Objectives |
Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above. |
2022-10-01 |
Zeppelin sample |
3ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2 |
SHA1 Hash |
Actions on Objectives |
Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above. |
2022-09-26 |
Zeppelin sample |
eb90f945087c270a2ecc11753180ba4ecc270696 |
SHA1 Hash |
Actions on Objectives |
Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above. |
2022-09-21 |
Zeppelin sample |
325b91c74025c5b5906afdbcbf04558a7b7907e9 |
SHA1 Hash |
Actions on Objectives |
Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above. |
2022-09-12 |
Zeppelin sample |
b016d45ee46c0579f315362be2dc69703e986cae |
SHA1 Hash |
Actions on Objectives |
Zeppelin ransomware sample submitted to VirusTotal. Appends random file extension per analysis above. |
2022-09-04 |
[1] https://www.cisa.gov/uscert/ncas/alerts/aa22-223a
[2] https://attack.mitre.org/techniques/T1547/001
[3] https://attack.mitre.org/techniques/T1070/004
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.