A new spam campaign is underway that pretends to be a job application from "Eva Richter" who is sending her photo and resume. This resume, though, is actually an executable masquerading as a PDF file that destroys a victim's files by installing the Ordinypt Wiper.
Ordinypt is a destructive malware commonly targeted at German people that pretends to be ransomware that encrypts your files and then demands victim's pay a ransom to get their files back. Unfortunately, even if a user pays the ransom, the files have been overwritten with garbage and cannot be decrypted.
From the samples and ransom notes seen by BleepingComputer, this campaign appears to have started around September 11th, 2019.
Fake 'Eva Richter' job application
This campaign is currently targeting German speaking victims and pretending to be a job application from a person named "Eva Richter". These emails will have a subject line of "Bewerbung via Arbeitsagentur - Eva Richter".
The spam emails contain a stock photo image of a woman, who is supposed to be our job applicant, and a zip file named "Eva Richter Bewerbung und Lebenslauf.zip" that pretends to be her resume.
Spam Email
The text of this spam email in German is:
Sehr geehrte Damen und Herren, hiermit bewerbe mich auf die von Ihnen bei der Arbeitsagentur angebotene Stelle. Das von Ihnen beschriebene Tätigkeitsfeld entspricht in besonderem Maße meinen beruflichen Perspektiven. Meine Bewerbungsunterlagen finden Sie im Anhang. Über eine Einladung zu einem persönlichen Vorstellungsgespräch würde ich mich sehr freuen. Mit freundlichen Grüßen, Eva Richter
This translates to English as the following:
Dear Sirs and Madames, I hereby apply for the position offered by you at the Employment Agency. The field of ..
Support the originator by clicking the read the rest link below.
