FTCode, a PowerShell-based ransomware originally found in 2013 by researchers at Sophos has recently resurfaced with an update. Because this ransomware is entirely script-based, no other components are required, and no further downloads are made. This also makes it simple for authors to make quick updates. FTCode is typically distributed through spam emails with attached Word documents disguised as document scans or invoices. These malicious Word documents will then drop the JasperLoader, which in turn eventually drops FTCode. The new version of FTCode now allows it to steal saved credentials from the typical web browsers (Google Chrome, Mozilla Firefox, Internet Explorer) and email clients (Microsoft Outlook, Mozilla Thunderbird). After it finds the credentials, FTCode sends them to a C2 server in a base64 encoded format.
Analyst Notes
When responding to a ransomware incident, it is wise to also change all the passwords for employees who used the affected computers, to prevent the attacker from abusing stolen credentials to cause more damage. Always keep anti-virus solutions up to date. When deploying security solutions for the enterprise, consider using an EDR (endpoint detection and response) solution side-by-side with AV products. Utilizing an EDR solution or an MDR (managed detection and response) can detect advanced threats using Windows system binaries and scripts that aren’t detected by anti-virus, and quickly respond to stop the threats before they spread too far. Many forms of ransomware also seek out network attached drives when encrypting files; backups should be done periodically and stored offline in a secure location. PowerShell scripts like this can be logged by enabling PowerShell module logging, script block logging, and transcription through Group Policy. FireEye has a great guide on how to enable this and how to deal with the required space at https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html. Luckily, FTCode also ships with a kill switch. If the file “C:UsersPublicOracleKitw00log03.tmp” exists on the victim’s machine, FTCode will exit before encrypting any files.
Source: https://www.bleepingcomputer.com/news/security/ftcode-ransomware-now-steals-saved-login-credentials/
