Technical analysis by the Malware Hunter JAMESWT

Zeppelin-Buran is hiding behind fake UPS invoices. The ransomware has the ability to exfiltrate data as well as encrypt it. The victim, opening a link and the downloaded word document, activates the malware infection chain

The malspam campaign on UPS changes distributed malware: yesterday it was Dridex and today it is Zeppelin-Buran. In these hours, emails on false invoices with malicious links are circulating. By opening them, a doc document is downloaded. It contacts a random url from a list and downloads a self-extracting executable, which starts the ransomware infection chain. Buran is very popular malware lately as ransomware-as-a-service (RaaS). This, however, in addition to encrypting the data also has a function to exfiltrate them. Fundamental ability for the double extortion strategy, increasingly used by cybercrime. Yesterday, however, the same links downloaded the malicious doc document that carried the banking Trojan.

The fake UPS email

The doc document that contacts a random list from a within list

The link list

The files in the self-extracting document

The ransom note