Pierluigi Paganini August 05, 2019

Recently a data-wiping malware tracked as GermanWiper has been targeting German organizations, the malicious code is pushed via phishing messages.

GermanWiper is being distributed in Germany through spam messages that pretend to be emails sent by a job applicant named Lena Kretschmer that is submitting her resume.

The messages have the subject “Ihr Stellenangebot – Bewerbung [Your job offer – Application] – Lena Kretschmer” and have an attachment titled “Unterlagen_Lena_Kretschmer.zip”.

The archive in attachment contains two files that pretend to be PDF resumes for the sender, instead, they are actually shortcuts (LNK) that execute a PowerShell command to download an HTA file from the expandingdelegation[.]top site and execute it on the victim machine.

The HTA will download the ransomware executable and save it to the C:\Users\Public folder and as an executable having a file name composed of three letters, then the GermanWiper is launched.

The malicious code was first reported on the BleepingComputer forum last week, it is classified as a destructive wiper rather than ransomware.

Once infected a system, the GermanWiper deletes files and leaves a ransom note asking for the payment of BTC 0.15038835.

Anyway, the operators behind this campaign tell to the victims that their data was encrypted and not deleted, they used a set of Bitcoin addresses for the payment.

The reality is that the malware simply overwrites the content of the file with zeroes and ones.

“The first sample seen by security researchers was built on Monday, July 29. The ID Ransomware service started to receive submissions the same day, a little after 10 AM CEST,  MalwareHunterTeam told BleepingComputer.” reported BleepingComputer.

The following graph shows the number of submissions for GermanWiper to the ID Ransomware service, suggesting the activity is still ongoing.

Experts at BleepingComputer published several details about the wiper. When the malware is launched, it attempts to terminate processes associated with any software (i.e. notepad.exe, mysql.exe,oracle.exe) that can lock the file to encrypt.

The wiper skips files that are essential for Windows to work correctly, it appends to the filenames of deleted files a random 5 character extension to trick the victim into believing that they have been encrypted by ransomware.

Once complete the deletion process, GermanWiper also removes the shadow volume copies and disables Windows automatic startup repair.

Experts noticed that GermanWiper has some similarities with a variant of the Sodinokibi ransomware that was involved in a recent spam campaign impersonating BSI.

Furthermore, the same delivery method used by Sodinokibi (malicious shortcut files masquerading as PDFs, and the use of HTA to extract and deploy the malware) is observed in the GermanWiper attacks.

The German CERT also warned of the Germanwiper campaign:

Further technical details are available in the analysis published by BleepingComputer.

Pierluigi Paganini

(SecurityAffairs – GermanWiper, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]