An attacker logged into the honeypot and dropped/ran Zeppelin within 5 minutes of logging in. Zeppelin is from the VegaLocker/Buran family. More info can be found at cylance.com and bleepingcomputer.com. According to bleepingcomputer, affiliates earn 75% of the ransom payment while the operators would earn 25%. Here’s some info from the attack.
Attacker logged in from 85.203.44[.]49
Zeppelin copies itself to %APPDATA%\Microsoft\Windows\spoolsv.exe
and then deletes original file. This file is also deleted after it runs.
Zeppelin writes information to HKCU\Software\Zeppelin but unfortunately this key was missing upon investigation.
Zeppelin runs the following commands upon execution which should look familiar. These are command we have seen time and time again during ransomware runs.
- bcdedit /set {default} bootstatuspolicy ignoreallfailures
- bcdedit /set {default} recoveryenabled no
- wbadmin delete catalog -quiet
- wbadmin delete systemstatebackup
- wbadmin delete backup
- wmic shadowcopy delete
- vssadmin delete shadows /all /quiet
Here we can see Defender has a signature for Zeppelin. Defender blocked the file at first but then it was released from quarantine by the attacker. Defender was then turned off.
This file was dropped and run to view Zeppelin logs as it ran.
This is what the batch file looks like when it ran, which was after the reg key was deleted so there is no additional information.
Ransomware note:
I wasn’t able to grab the executable but this any.run example is similar in behaviors https://app.any.run/tasks/3b9f8dce-f9d1-49e0-943e-a29744a21e99/
IOCs can be found in MISP Priv Event ID 65585 or CIRCL OSINT UUID 5e762921-1e0c-4d3a-9306-4988950d210f