FTCode, a PowerShell-based ransomware originally found in 2013 by researchers at Sophos has recently resurfaced with an update. Because this ransomware is entirely script-based, no other components are required, and no further downloads are made. This also makes it simple for authors to make quick updates. FTCode is typically distributed through spam emails with attached Word documents disguised as document scans or invoices. These malicious Word documents will then drop the JasperLoader, which in turn eventually drops FTCode. The new version of FTCode now allows it to steal saved credentials from the typical web browsers (Google Chrome, Mozilla Firefox, Internet Explorer) and email clients (Microsoft Outlook, Mozilla Thunderbird). After it finds the credentials, FTCode sends them to a C2 server in a base64 encoded format.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.