perm_phone_msgUNDER ATTACK? Chat With US

FTCODE ransomware is now armed with browser, email password stealing features

Cyber security BCyber todayJanuary 22, 2020 6

Background
share close
Company laid off 300 employees before Christmas due to ransomware attack Arkansas-based telemarketing firm tells staff to seek new employment after suspending all operations right before the holidays.

FTCODE ransomware is back with a fresh set of information-stealing capabilities targeting browsers and email services. 

First spotted back in 2013 by Sophos, the malware — believed to be the handiwork of Russian threat groups — piqued researcher interest due to its reliance on PowerShell, a Microsoft scripting language designed for task automaton and network management.

The ransomware has previously targeted Russian-speaking users, but since its inception, operators of the malware have expanded their horizons to include victims of other languages. 

See also: New ransomware attacks target your NAS devices, backup storage

In October 2019, the ransomware was linked to phishing and email campaigns targeting Italian users through documents containing malicious macros, a common way for cyberattackers to deploy exploit kits.

According to Zscaler ThreatLabZ researchers Rajdeepsinh Dodia,  Amandeep Kumar, and Atinderpal Singh, the malware is now being downloaded via VBScript, but is still based on PowerShell. 

“The FTCODE ransomware campaign is rapidly changing,” the team says. “Due to the scripting language it was written in, it offers multiple advantages to threat actors, enabling them to easily add or remove features or make tweaks much more easily than is possible with traditionally compiled malware.”

What appears to be the latest version of the malware, 1117.1, lands on infected machines through the same attack vector — documents containing macros. However, these macros contain links to VBScripts that deploy the PowerShell-based FTCODE, disguised as a decoy .JPEG image file that lands in the Windows %temp% folder. 

In many respects, FTCODE acts as typical ransomware. Basic system information is harvested and sent to a waiting command-and-control (C2) server, and persistence is secured through a shortcut file in the startup folder that executes on reboot. 

FTCODE will then scan the infected system for drives with at least 50kb of free space and begin encrypting files with extensions including .das, .rar, .avi, .epk, and .docx. A ransom note is then posted. Positive Technologies says the initial request is $500 but increases over time.

The latest version of the malware is also able to steal browser and email credentials, a significant update on past iterations. 

Internet Explorer, Mozilla Firefox, and Google Chrome browser information, alongside Microsoft Outlook and Mozilla Thunderbird email credentials, can be stolen and sent to the malware’s operators via the C2. 

Stolen data is encrypted with base64 and sent via an HTTP POST request, as noted by Positive Technologies. 

The researchers add in their report that the ransomware may also install the JasperLoader downloader, which can be used to deploy additional malicious payloads. 

In related news, on Tuesday, Safebreach Labs reported the conclusion of an investigation into how ransomware could exploit the Microsoft Windows Encrypting File System (EFS) to encrypt and lock-up PCs. 

After developing a concept malware variant and successfully creating workable attacks, the researchers tested their ransomware against three popular forms of antivirus software, all of which failed to stop the threat. In total, 17 cybersecurity vendors received Proof-of-Concept (PoC) reports, the majority of which have now pushed out proactive software updates before such an attack is used in the wild. 

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

This content was originally published here.

Written by: BCyber

Rate it
Previous post

Similar posts

Cyber security BCyber / March 14, 2020

Ransomware victims thought their backups were safe. They were wrong | ZDNet

Ransomware: Industrial control systems are under attack Ekans ransomware is designed to target industrial systems in what researchers describe as a “deeply concerning evolution” in malware. The UK’s cybersecurity agency has updated its guidance on what to do after a ransomware attack, following a series of incidents where organisations were hit with ransomware, but also ...

Read more trending_flat