A Zeus variant that first surfaced in August 2016 called Zeppelin has resurfaced and is now being used to compromise Web servers to distribute its payload. The threat researchers at Forcepoint Security Labs said they first started seeing new Zeppelin malware samples on July 31, 2018. They said it is unclear where the infection process begins, but evidence suggests that it starts with a phishing email attachment carrying an embedded iframe tag that loads a remote script. The iframe directs the browser to a remote site hosting an HTML application that fetches and executes the malware.
Zeppelin is also one of the more rare examples of a malware variant branching out from just being banking malware. Research from Forcepoint reported that the initial activity observed had been confined to Web servers with content management systems (CMS). What drove researchers crazy, however, was its ability to compromise CMS-powered websites without stealing credentials or other sensitive data.
The researchers noted that the phishing campaign used email attachments containing a malicious iframe tag to load an HTML file. This iframe is hosted on a server hosting a code editor tool. The HTML file then fetches a remote script that, in turn, downloads the malware payload. Forcepoint is unsure how the iframe gets injected into the email, but they believe it could be done through a compromised website.
“The ZeuS variant itself is fairly basic,” wrote the researchers. “It has only one module for stealing credentials from browsers and one for checking its C&C server for new commands.” It is about 20KB in size and uses HTTP for communication with its command server. A new infection attempt was found targeting an undisclosed CMS platform on September 17, 2018. This attempted infection differed from previous attempts by using a script to fetch Zeppelin rather than an HTML file that downloads it remotely.
The way to protect yourself from Zeppelin is to avoid opening an email from an unknown sender, especially from a sender you don’t expect to send you anything. The recommendation To protect against any data leakage through the Web server is to use your CMS’s most recent version of the software.
You should also make sure you are using a web application firewall (WAF) to block any malicious requests and a web application firewall to protect the server. It would be best if you also implemented regular security patches and password changes on your CMS. This way, the criminals won’t be able to break into your system.