Recently, the Zscaler ThreatLabZ team came across PowerShell-based ransomware called “FTCODE,” which targets Italian-language users. An earlier version of FTCODE ransomware was being downloaded using a document file that contained malicious macros. In the recent campaign, the ransomware is being downloaded using VBScript.
Figure 1: FTCODE downloaders observed in the Zscaler cloud (Office documents in red and VBScripts in yellow)
The latest version we’ve seen in the Zscaler cloud contains version number 1117.1. We also came across this malware with version numbers from 1001.7 to 1117.1. In this blog, we’ll describe the infection method and its techniques for stealing credentials.
Technical details
Infection starts with spam emails containing malicious macro documents and, more recently, containing links to VBScripts that further download a PowerShell script known as FTCODE ransomware. Once a user executes the VBScript, it executes the PowerShell script shown in the screenshot below.
Figure 2: PowerShell script to download a decoy image and the ransomware
The script first downloads a decoy image into the %temp% folder and opens it trying to trick users into believing that they simply received an image, but in the background, it downloads and runs the ransomware.
Figure 3: Decoy image
The downloaded script is saved in %Public%\Libraries\WindowsIndexingService.vbs. The screenshot below displays the command-and-control (C&C) request for downloading the VBScript.
Figure 4: C&C communication request to download VBScript
Persistence
Further, the malware creates a shortcut file called windowsIndexingService.lnk in the victim’s startup folder, so it will execute at every reboot. The shortcut file executes the %Public%\Libraries\WindowsIndexingService.vbs. It also creates a scheduled task named WindowsApplicationService for executing the WindowsIndexingService.vbs file.
FTCODE checks if the file \%temp%\quanto00.tmp exists. If the file exists and was created more than 30 minutes ago, FTCODE will write the current time in the file; otherwise, it will exit the script. It also checks for the file %public%\OracleKit\w00log03.tmp that contains GUID; if it doesn’t find the file, it writes GUID into the file w00log03.tmp and changes the file attribute to hidden.
C&C communication
The malware sends information to its C&C as shown in the screenshot below.
Figure 5: Sending data to the C&C
ver = 1117.1 version
vid = vb5, specific campaign identifier
guid = GUID
ext = first 6 characters of newly generated GUID (Extension of encrypted file)
r1 = base 64 encoded (base 64 encode(encrypted (8 character GUID + 42 random characters)); Base 64 encoded(encrypted((Random 23 + Random 11))))
The malware creates random characters and is encrypted using the RSA algorithm. The RSA key is hardcoded in the script. Those randomly generated strings are used to generate a password.
After getting a response from the server, the malware writes the current date-time into /%temp%/quanto00.tmp. If it doesn’t get any response, it will terminate itself. After that, it sends another post request to the C&C server with the &status=start parameter as shown below and starts the encryption process.
Figure 6: Sending status update to C&C
Encryption
The malware searches for all drives with at least 50kb of free space and starts encrypting the files with the extensions below.
Figure 7: Extension list for encryption
FTCODE generates a password using GUID and a random character set generated earlier. It uses Rijndael symmetric key encryption to encrypt the 40960 bytes of each of the above extension files. The initialization vector is based on 11 randomly generated characters.
Figure 8: Encryption code
After encrypting files, FTCODE appends the extension to the “first 6 characters of newly generated GUID” and drops the ransom note "READ_ME_NOW.htm" in the directory that contains the encrypted files. The personal ID in the ransom note is the newly generated GUID.
Figure 9: Ransom note
The earlier FTCODE version’s encryption key was generated based on a hardcoded string "BXCODE hack your system" and randomly generated key. The earlier version’s initialization vector was based on the hardcoded string "BXCODE INIT." The earlier version (1001.1) of FTCODE adds the .FTCODE extension after encryption. All versions use the same ransom note.
Stealer capability
The latest version of FTCODE added stealing functionality which was absent in earlier versions. It steals credentials from the browsers below as well as email clients.
Internet Explorer
Mozilla Firefox
Mozilla Thunderbird
Google Chrome
Microsoft Outlook
Internet Explorer
The script steals the stored credentials from the Internet Explorer web browser and gets the history folder using $shell.NameSpace(34). It takes history details and decrypts the stored credentials from information in the registry HKCU:\Software\Microsoft\Internet Explorer\IntelliForms\Storage2. It also checks to see if the operating system is above Windows 7, then it fetches credentials from the vault as shown in the code below.
Figure 10: Code to steal credentials from vault
Mozilla Firefox and Mozilla Thunderbird
The script checks the below paths and fetches the credentials from the Mozilla Firefox browser and the Mozilla Thunderbird email client.
SystemDrive\Program Files\Mozilla Firefox
SystemDrive\Program Files\Mozilla Thunderbird
SystemDrive\Program Files (x86)\Mozilla Firefox
SystemDrive\Program Files (x86)\Mozilla Thunderbird
Google Chrome
The script steals credentials from the Google Chrome browser from the file \%UserProfile%\AppData\Local\Google\Chrome\User Data\*\Login Data.
Figure 11: Code to steal credentials from the Google Chrome browser
Microsoft Outlook
The script steals saved credentials by accessing the following registry key.
HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*
HKCU:\Software\Microsoft\Office\1[56].0\Outlook\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*
Next, it sends a post request with the guid=temp_1235266078&crederror=start chooseArch data to kind.its1ofakind[.]com. Further, it sends the stolen data to its C&C as shown in the below screenshot.
Figure 12: Sending stolen credentials to C&C
guid = hardcoded in script
cred = stolen credentials
The stolen credentials are in the below format. Username and password are Base64 encoded.
Format: {"URL":[{"Username":"Password"},{"Username":"Password"}]
Finally, after sending data, it sends a post request with guid=temp_1235266078&crederror=SUCCESS.
Conclusion
The FTCODE ransomware campaign is rapidly changing. Due to the scripting language it was written in, it offers multiple advantages to threat actors, enabling them to easily add or remove features or make tweaks much more easily than is possible with traditionally compiled malware. The Zscaler ThreatLabZ team continues to monitor this threat and others to ensure that Zscaler customers are protected.
IOCs:
Md5
d597ea78067725ae05a3432a9088caae
c8a214f432fc9d74c913c02e7918fc0
f96253923e833362ecac97729d528f8c
cc0f64afa3101809b549cc5630bbd948
328ce454698307f976baa909e5c646c7
71a8d8c0543a99b8791e1cfaeeeb9211
f0aa45bb9dd09cfac9d93427a8f5c72c
d6da191bfc5966dd4262376603d4e8c1
cc5946ce893ff37ace8de210923467a2
7f5bb4529b95a872a916cc24b155c4cc
edd5fbe846fa51f3b555185627d0d6c5
a2e88f9486cc838eae038a8ba32352f3
eab63ee2434417bc46466df07dc6b5b5
fd46c05b99d00e11d34b93eae2c7ff2b
98d2221445c2c8528cef06e4ef3c9e36
URLs:
luigicafagna[.]it
audownload[.]windowsupdate[.]nsatc[.]net
lgin[.]msa[.]trafficmanager[.]net
home[.]southerntransitions[.]net
vs[.]login[.]msa[.]akadns6[.]net
nomi[.]tugnutz[.]com
login[.]msa[.]akadns6[.]net
home[.]ktxhome[.]com
dhol[.]rkeindustries[.]net
way[.]securewebgateway[.]com
stats[.]thomasmargiotti[.]com
pups[.]pupusas[.]net
print[.]impressnaples[.]com
print[.]impress-screen-printing[.]com
power[.]hagertyquote[.]com
men[.]unifiedthreatmanagementutm[.]com
kind[.]its1ofakind[.]com
ese[.]emarv[.]com
ehuxmtkxmdqy[.]top
connect[.]simplebutmatters[.]com
connect[.]heritageagencies[.]com
ceco[.]heritageins[.]co
cdn[.]danielrmurray[.]com
bxfmmtkxmdqy[.]top
biz[.]lotsofbiz[.]com
amq1mtkxmdqy[.]top
ahmwmtkxmdqy[.]top
agvlmtkxmtq4[.]top
agvlmtkxmdqy[.]top
↧