WARNING: FTCODE ransomware is now equipped with browser, email password stealing features

WARNING: FTCODE ransomware is now equipped with a browser, email password-stealing features

Nobody wants a smartphone plagued with some kind of virus, right?

There is not a smartphone now that is not packed photos, videos, documents, and even personal files. With everything (and by everything, we mean everything including establishments) going mobile, all are just a click away.

So, imagine if your smartphone is carrying some kind of virus that is secretly digging through your files and personal details?

Now, a recently discovered ransomware called FTCODE has evolved to include new features. These new features are said to be capable of infecting its victims via VBScript links in phishing emails.

FTCODE ransomware has evolved to include new capabilities

FTCODE ransomware has evolved to include new capabilities
FTCODE ransomware has evolved to include new capabilities

For some, FTCODE is not a new name in the biz. It is just making a comeback with even dangerous capabilities. Such features include information-stealing capabilities that target browsers and email services.

According to the folks from Zscaler ThreatLabZ team, say that they first discovered the PowerShell-based malware, has detailed the latest changes in a blog post.

FTCODE downloaders observed in the Zscaler cloud (Office documents in red lines and VBScripts in yellow lines)
FTCODE downloaders observed in the Zscaler cloud (Office documents in red lines and VBScripts in yellow lines)

The latest version we have seen in Zscaler is version number 1117.1, which contains codes that steal personal credentials from the Internet Explorer, Mozilla Firefox and Thunderbird, Google Chrome and Microsoft Outlook.

FTCODE technicalities

FTCODE technicalities
FTCODE technicalities

The question is: how do the FTCODE ransomware exploit its target? So, this is how it works:

When a target clicks on a VBScript link within the phishing email, the FTCODE PowerShell script is then loaded.

“The script first downloads a decoy image into the %temp% folder and opens it trying to trick users into believing that they simply received an image, but in the background, it downloads and runs the ransomware,” explain Zscaler researchers and blog post authors Rajdeepsinh Dodia, Amandeep Kumar and Atinderpal Singh.

The ransomware’s distributors have already been sending out spam emails with attached documents that contain malicious macros even prior to leveraging VBScript links. These malicious macros immediately infect the target as soon as when they are opened.

The FTCODE ransomware exploits its targets for phishing activities
The FTCODE ransomware exploits its targets for phishing activities

To add more, the ransomware component works by searching drives with a minimum of 50KB of free space as well as a wide range of file types within them. Also, according to the report, it uses AES encryption to scramble affected files.

It then will instruct its victims in a note to download the Tor browser, open a specific link and follow steps to pay up. So, imagine if users are not careful, imagine having to give up your financial details for scammers.

Protect your devices

Since the beginning of computers and smartphones, viruses and ransomware like this have already been widespread. From time to time, there are softwares that prevented or stopped these attacks on our devices, but it’s not a guarantee that it won’t keep coming back.

So, how do you protect your smartphones and computers from these kinds of attacks?

Invest in anti-virus apps and software. Mind you, they are not that cheap but they are worth every penny. Shelling out a few extra bucks for the safety of your files is a small price to pay. Is that right?

Leave a Reply

Your email address will not be published.