Pages

January 21, 2020

Fileless ransomware FTCODE now steals credentials

In 2013, SophosLabs announced infections by a ransomware written in PowerShell. The attack targeted users from Russia. The ransomware encrypted files and renamed them with an extension .FTCODE, whence the name of the virus. The malware arrived as spam containing an HTA file attachment. The ransom demand took the form of a text file with a message in Russian instructing the victim on how to pay the ransom and decode the files.

A few years later, in autumn 2019, new mentions of FTCODE infections appeared. Hackers ran a phishing campaign targeting recipients of PEC certified emails in Italy and other countries. Victims received emails with attachments containing macros that downloaded malicious code. Apart from encryption, the ransomware also installed JasperLoader, a Trojan downloader, on victims' computers. This Trojan can be used to distribute various types of malware. For example, there have been cases when attackers downloaded the Gootkit banking Trojan onto victims' computers.

In mid-October 2019, a new version of the ransomware appeared capable of stealing passwords and credentials from users' computers. The data is retrieved from popular browsers and mail clients installed with default parameters.

PowerShell is often used to develop malware, because the interpreter of this language is included with Windows 7 and later. PowerShell also allows running a malicious code without saving it to a file on a victim's computer. The webinar on such threats is available at the Positive Technologies website.

Payload delivery

First, attackers run the script nuove_tariffe_2020_8_af11773ee02ec47fd5291895f25948e7.vbs that launches the PowerShell interpreter.

Figure 1. Downloading payload
The interpreter receives a string with commands that download the image hxxps://static[.]nexilia[.]it/nextquotidiano/2019/01/autostrade-aumenti-tariffe-2019[.]jpg (Figure 2) and save it as tarrife.jpg in a temporary file folder.

Figure 2. Image tarrife.jpg used to distract user's attention
The image is then opened, and at the same time, the ransomware is downloaded from the Internet without being saved to disk. Unlike previous cases of infection, malware body is distributed encrypted with Base64 algorithm. To deliver the payload, attackers use domain band[.]positivelifeology[.]com (Figure 3) and mobi[.]confessyoursins[.]mobi.

Figure 3. Traffic fragment with ransomware code

Stealing user credentials

As noted already, new ransomware version has a module for stealing user credentials and passwords from popular browsers and mail clients, such as Internet Explorer, Mozilla Firefox, Chrome, Outlook, and Mozilla Thunderbird.

First, the command start chooseArch is sent to attacker's server with domain surv[.]surviveandthriveparenting[.]com with the help of an HTTP POST request.

Figure 4. 
At this stage, generated traffic usually contains a string of the type guid=temp_dddddddddd followed by commands or stolen data (Figure 5). The string contains a guid, which is unique for each ransomware sample.

Figure 5. Code used by the stiller for network exchange
Next, victim's credentials and passwords are extracted, encrypted with base64, and sent to attackers.

Figure 6. Code for transferring user credentials
Below is a fragment of traffic with stolen data sent via an HTTP POST request.

Figure 7. Stolen data
Once the stolen data is sent, the stiller sends an HTTP POST request signaling that is has completed its work.

Figure 8. Signal about successful data theft


Installation of the JasperLoader downloader

The new ransomware version downloads and installs the JasperLoader downloader (Figure 9) that can be used to distribute malware.

Figure 9. Traffic fragment with code JasperLoader
Once downloaded, JasperLoader is saved to the file C:\Users\Public\Libraries\WindowsIndexingService.vbs and added to Windows tasks as WindowsApplicationService and to the startup folder via WindowsApplicationService.lnk.

Figure 10. Installation of the downloader

Data encryption

In addition to stealing user credentials and installing the downloader, FTCODE encrypts files on a victim's computer.

The first step is to prepare the environment. The ransomware uses the file C:\Users\Public\OracleKit\quanto00.tmp to save the time of its last running. That is why attackers have to check whether the file is present in the system and when it was created. If the file is present in the system and was created 30 minutes ago or later, the process ends (Figure 11). This can be used as a vaccine.

Figure 11. Checking the period of time after the last running of the ransomware
After that, identifier is read from the file C:\Users\Public\OracleKit\w00log03.tmp or a new one is created if the file is not available.

Figure 12. Preparing victim's identifier


Figure 13. Victim's identifier
Then the ransomware generates key information needed to encrypt the files.

Figure 14. Generation of key information for encryption
As can be seen in the code, information needed to restore victim's data is sent via an HTTP POST request to the host with domain food[.]kkphd[.]com.

Figure 15. Sending key information for encryption/decryption
Therefore, if one manages to intercept traffic containing salt for file encryption, one can restore the files without paying a ransom to attackers.

Figure 16. Intercepted key information
To encrypt victims' files, the ransomware uses Rijndael algorithm in CBC mode with an initialization vector based on string BXCODE INIT and the key obtained from the password "BXCODE hack your system" and the previously generated salt.

Figure 17. Encryption function
Right before the encryption starts, a "start" signal is sent via an HTTP POST request. If a file exceeds the size limit of 40,960 bytes, the file size is reduced accordingly.  A file extension is added to the files, however, not .FTCODE as it was the case with previous ransomware versions, but the one generated previously in a random way and sent to the attackers' server as a parameter value ext.

Figure 18. Encrypted files
After that, an HTTP POST request is sent containing the signal "done" and the number of encrypted files.

Figure 19. Ransomware main code
Full list of extensions of files encrypted on victim's computer

"*.sql" "*.mp4" "*.7z" "*.rar" "*.m4a" "*.wma"
"*.avi" "*.wmv" "*.csv" "*.d3dbsp" "*.zip" "*.sie"
"*.sum" "*.ibank" "*.t13" "*.t12" "*.qdf" "*.gdb"
"*.tax" "*.pkpass" "*.bc6" "*.bc7" "*.bkp" "*.qic"
"*.bkf" "*.sidn" "*.sidd" "*.mddata" "*.itl" "*.itdb"
"*.icxs" "*.hvpl" "*.hplg" "*.hkdb" "*.mdbackup" "*.syncdb"
"*.gho" "*.cas" "*.svg" "*.map" "*.wmo" "*.itm"
"*.sb" "*.fos" "*.mov" "*.vdf" "*.ztmp" "*.sis"
"*.sid" "*.ncf" "*.menu" "*.layout" "*.dmp" "*.blob"
"*.esm" "*.vcf" "*.vtf" "*.dazip" "*.fpk" "*.mlx"
"*.kf" "*.iwd" "*.vpk" "*.tor" "*.psk" "*.rim"
"*.w3x" "*.fsh" "*.ntl" "*.arch00" "*.lvl" "*.snx"
"*.cfr" "*.ff" "*.vpp_pc" "*.lrf" "*.m2" "*.mcmeta"
"*.vfs0" "*.mpqge" "*.kdb" "*.db0" "*.dba" "*.rofl"
"*.hkx" "*.bar" "*.upk" "*.das" "*.iwi" "*.litemod"
"*.asset" "*.forge" "*.ltx" "*.bsa" "*.apk" "*.re4"
"*.sav" "*.lbf" "*.slm" "*.bik" "*.epk" "*.rgss3a"
"*.pak" "*.big" "*wallet" "*.wotreplay" "*.xxx" "*.desc"
"*.py" "*.m3u" "*.flv" "*.js" "*.css" "*.rb"
"*.png" "*.jpeg" "*.txt" "*.p7c" "*.p7b" "*.p12"
"*.pfx" "*.pem" "*.crt" "*.cer" "*.der" "*.x3f"
"*.srw" "*.pef" "*.ptx" "*.r3d" "*.rw2" "*.rwl"
"*.raw" "*.raf" "*.orf" "*.nrw" "*.mrwref" "*.mef"
"*.erf" "*.kdc" "*.dcr" "*.cr2" "*.crw" "*.bay"
"*.sr2" "*.srf" "*.arw" "*.3fr" "*.dng" "*.jpe"
"*.jpg" "*.cdr" "*.indd" "*.ai" "*.eps" "*.pdf"
"*.pdd" "*.psd" "*.dbf" "*.mdf" "*.wb2" "*.rtf"
"*.wpd" "*.dxg" "*.xf" "*.dwg" "*.pst" "*.accdb"
"*.mdb" "*.pptm" "*.pptx" "*.ppt" "*.xlk" "*.xlsb"
"*.xlsm" "*.xlsx" "*.xls" "*.wps" "*.docm" "*.docx"
"*.doc" "*.odb" "*.odc" "*.odm" "*.odp" "*.ods"
"*.odt"

Once the files are encrypted, a text file named READ_ME_NOW.htm is created on a victim's computer. The file instruct the victim on what to do to restore the files.

Figure 20. Attacker message to a victim
Each victim receives a unique link containing  an identifier from the file C:\Users\Public\OracleKit\w00log03.tmp. If it is damaged or deleted, there is a risk of never restoring encrypted data. The link leads to the page in Tor browser with a form containing a ransom demand for decrypting the files. The initial ransom amount is 500 US dollars, but it then increases.

Figure 21. Ransom demand

End of work

Once the files are encrypted, FTCODE removes data that can be used to restore the files.

Figure 22. Removal of data

Conclusion

The malware consists of the downloader (VBS code) and payload (PowerShell code). A JPEG image is used to mask the encryption. The ransomware installs well-known downloader JasperLoader, encrypts victim's files in order to get a ransom, and steals credentials and passwords from popular browsers and mail clients.

The threat is identified by PT Network Attack Discovery (PT NAD) as FTCODE.

Also, PT NAD stores network traffic to help decrypt the ransomware victim's files.

Author: Dmitry Makarov, Positive Technologies

IOCs

6bac6d1650d79c19d2326719950017a8
bf4b8926c121c228aff646b258a4541e
band[.]positivelifeology[.]com
mobi[.]confessyoursins[.]mobi
surv[.]surviveandthriveparenting[.]com
food[.]kkphd[.]com

No comments:

Post a Comment