Today someone posted about a Ransomware attack on the local chat plaform Jodel (don't judge please, as you know the sketchy corners of the web get you the best samples :D) which instantly peaked my interest. What I got was this email and the two attached files.
The two attached files Applicant Name - Lebenslauf Aktuell.doc.lnk and Applicant Name - Arbeitszeugnisse Aktuell.doc.lnk are made to look like Microsoft Office Documents but are actually just Windows File Shortcuts and can easily be parsed with the LNK Parser @ Google Code. The output looks like this:
The person who provided me with this data was kind enough to also include the ransom note, which is, unlike most ransomware strains out the in the wild wild cyber west, not a txt File but rather a HTML file. It includes links to bitcoin exchanges, a hardcoded wallet address and asks for 0.15038835 BTC as a ransom. Just like the E-Mail it is written in spotless german but without Umlauts (ä,ö,ü). A cleaned sample can be found here Communication with the attacker's server at 188.8.131.52 (hosted at OVH) is done via a php script at the bottom of the ransom note. Since the server was not reachable at the time of analysis I could not take a closer look at neither the script nor the dropped .hta file that is run via the powershell command in the .lnks. The most worrying thing about this sample is the "encryption" though. Every file touched by GermanWiper is overwritten with zeros. A list of file extensions used by the wiper can be found on pastebin. Because of this behaviour the malware was dubbed "GermanWiper" by Michael Gillespie (@Demonslay335). The BleepingComputer Forum post discussing this strain can be found here.
Update: A look at the dropped executable
GermanWiper available @ https://malshare.com/sample.php?action=detail&hash=36ccd442755d482900b57188ae3a89a7 sha256 41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c
As a first step I like to run my samples through "Detect it easy" to get a first look at what to expect. Not a huge discovery, but it interesting none the less that the executable was likely compiled with Visual Studio 2010.
Let's check the entropy of the sample to see if it is packed. Heavy obfuscation is a rare sight for ransomware, but running your executable through a packer or crypter of some sort might avoid detection through already existing signatures and ransom campaigns often ship more than one version of their executable.
A quick test to see how much effort the attackers have put into it is to try to unpack it with upx, but no such luck in this case: I'm not quite sure why, but the attackers set an Amazon Logo as a file icon for the malware. Maybe to lure the victim into clicking on it ?