January 21, 2020

Fileless ransomware FTCODE now steals credentials

In 2013, SophosLabs announced infections by a ransomware written in PowerShell. The attack targeted users from Russia. The ransomware encrypted files and renamed them with an extension .FTCODE, whence the name of the virus. The malware arrived as spam containing an HTA file attachment. The ransom demand took the form of a text file with a message in Russian instructing the victim on how to pay the ransom and decode the files.

A few years later, in autumn 2019, new mentions of FTCODE infections appeared. Hackers ran a phishing campaign targeting recipients of PEC certified emails in Italy and other countries. Victims received emails with attachments containing macros that downloaded malicious code. Apart from encryption, the ransomware also installed JasperLoader, a Trojan downloader, on victims' computers. This Trojan can be used to distribute various types of malware. For example, there have been cases when attackers downloaded the Gootkit banking Trojan onto victims' computers.

In mid-October 2019, a new version of the ransomware appeared capable of stealing passwords and credentials from users' computers. The data is retrieved from popular browsers and mail clients installed with default parameters.

PowerShell is often used to develop malware, because the interpreter of this language is included with Windows 7 and later. PowerShell also allows running a malicious code without saving it to a file on a victim's computer. The webinar on such threats is available at the Positive Technologies website.