TAG cybersecurity experts: The breadth of targets in those campaigns stands in contrast to many government-backed operations.
Technical analysis by the Malware Hunter JAMESWT
Zeppelin-Buran is hiding behind fake UPS invoices. The ransomware has the ability to exfiltrate data as well as encrypt it. The victim, opening a link and the downloaded word document, activates the malware infection chain
The malspam campaign on UPS changes distributed malware: yesterday it was Dridex and today it is Zeppelin-Buran. In these hours, emails on false invoices with malicious links are circulating. By opening them, a doc document is downloaded. It contacts a random url from a list and downloads a self-extracting executable, which starts the ransomware infection chain. Buran is very popular malware lately as ransomware-as-a-service (RaaS). This, however, in addition to encrypting the data also has a function to exfiltrate them. Fundamental ability for the double extortion strategy, increasingly used by cybercrime. Yesterday, however, the same links downloaded the malicious doc document that carried the banking Trojan.
The fake UPS email
The doc document that contacts a random list from a within list
The link list
The files in the self-extracting document
The ransom note