Ordinypt: Resurgence

[harlan4096]

Recently, the Ordinypt malware has seen a resurgence in the wild, disguised as fake job applications sent via email to human resource departments in German companies. The malware uses social engineering to infect the user’s files and trick them into paying cryptocurrency to restore the infected files.

An analysis by John Karlo Agon, Louis Sorita & Josemaria Grana

Ordinypt is a wiper, disguised as a ransomware. It deletes the user’s files and replaces them with files containing random data to make the remaining data look like it is encrypted. This means there is no way that files affected by the ransomware can be restored even after paying the ransom. The malware was first seen in 2017, also targeting German companies and using the same technique of social engineering. While the two variants have similarities, the newer version of the malware is different in terms of the extent of its damage to the user’s machine.

Initial attack vector

The fake job application sent to human resources via email, containing the malware attachment. The fake job application sent to human resources via email, containing the malware attachment.

The first notable thing with Ordinypt is that it still uses a very similar approach to how it attempts to initially infect the victim’s computer. Ordinypt uses a phishing email that claims to be a job application with two attachments: a JPG photo of the fake applicant, and an archive which contains the file “Britta Ludwig – Bewerbung – Lebenslauf.pdf.exe” which poses as a PDF file based on its filename.

Upon execution of the file “Britta Ludwig – Bewerbung – Lebenslauf.pdf.exe”, the differences between the old and new versions of Ordinypt will become apparent. In the 2017 version, it will immediately attempt to run its payload. In the 2019 version however, it will first decrypt a PE file in its code and then create a new instance of itself. Following this, it will inject the decrypted PE into the new instance of itself. This is a commonly used technique to avoid analysis, making it harder to reverse engineer the malware and create signatures that will detect the file.

Targeted folders and files

In the new process it will create a random string with a length of 5 bytes. This random string will be used later as the extension name of the files it will drop. It will then check for the drives in the system by iterating from A:\ to Z:\, looking for certain drive types to infect which are either unknown, removable, fixed, or remote drives.

If a drive belongs to those drive types, Ordinypt will iterate all the files and directories inside the drive. Like what it has done to the drives, it will also look out for some criteria in the files and directories. It will skip certain directories based on folder name, with the differences in new and old versions of Ordinypt highlighted in the table on the right.

The main difference between the old and new version of Ordinypt is in the way in which files are targeted. While the 2017 version, had a hard-coded target list of file extensions that it will infect, the 2019 version will target every file on the drive, unless said file’s extension is included in a hardcoded exception list of file extensions. This means that the newer version of Ordinypt is more destructive, as it can infect more files. (To see the difference between the two versions, refer to the side by side comparison of the two at the end of this article.)
...

Continue Reading