- See The Difference
- What is Zero Trust The strategy on which Zscaler was built
- How Zscaler Delivers Zero Trust A platform that enforces policy based on context
- Zero Trust Resources Learn its principles, benefits, strategies
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Customer Testimonials Hear first-hand transformation stories
- Case Studies Learn about pioneering Zscaler customers
- Analyst Recognition Industry experts weigh in on Zscaler
- See the Zscaler Cloud in Action Traffic processed, malware blocked, and more
- Experience the Difference Get started with zero trust
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Platform
- Platform Overview Unified platform for transformation
- Products Integrated services, infinitely scalable
![Zscaler transformation]( "Zscaler transformation")
Accelerate your transformation
Learn MoreProtect and empower your business by leveraging the platform, process and people skills to accelerate your zero trust initiatives
- Technologies Global proxy-based cloud architecture
- Capabilities Integrated services, infinitely scalable
![Gartner Report]( "Gartner Report")
Gartner Magic Quadrant Leader
Read the reportZscaler: The Only Leader in the 2020 Gartner Magic Quadrant for Secure Web Gateways
- Solutions
- Modern Workplace Enablement
- Security Transformation
- Infrastructure Modernization
- Industries & Partners
- Modern Workplace Enablement Overview Create fast, secure experiences for users everywhere
- Secure Work-from-anywhere Seamless access for the hybrid workforce
- Ensure great digital experiences Seamless access through fast, secure and reliable connectivity
![Zscaler workplace enablement]( "Zscaler workplace enablement")
Make hybrid work possible
Get startedSecure work from anywhere, protect data, and deliver the best experience possible for users
- Security Transformation Overview A modern cloud approach
- Prevent Cyberthreats Prevent phishing, ransomware, and other attacks
- Prevent Data Loss Protect data everywhere from exposure or theft
![Zscaler capabilities]( "Zscaler capabilities")
The World’s Most Effective Ransomware Protection
Get StartedRansomware is the biggest threat to digital business. Learn how to take a proactive, zero trust approach to safeguarding your enterprise
- Infrastructure Modernization Overview Enable the new world of cloud and mobility
- Simplify Branch Connectivity Simplify and secure direct-to-cloud connections
- Secure Cloud Connectivity Secure connectivity between clouds and workloads
![Zscaler infrastructure modernization]( "Zscaler infrastructure modernization")
Enable the Agile Branch
Watch NowYour network security is costing more than it’s worth. See how five companies drove simplicity, savings and security
- Industries Our ecosystem of zero trust partners
- Partner Integrations Simplified deployment and management
![Zscaler industry partners]( "Zscaler industry partners")
Secure your ServiceNow Deployment
Get StartedIt’s time to protect your ServiceNow data better and respond to security incidents quicker
- Resources
- Content Library Explore topics that will inform your journey
- Blog Perspectives from technology and transformation leaders
- Tools Training, demos and more
- CIO Library Essential resources for enterprise leaders
- Webinars and Demos A first-hand look into important topics
- Executive Insights App Security insights at your fingertips
![Zscaler resources]( "Zscaler resources")
- Security & Threat Analytics Threat dashboards, cloud activity, IoT, and more
- Security Advisories News about security events and protections
- Vulnerability Disclosure Program Webinars, training, demos, and more
- Trust Portal Zscaler cloud status and advisories
![Zscaler resources]( "Zscaler resources")
- The Cloud-First Architect Tools and best practices for the cloud
- CIO Insights Curated resources for technology leaders
- Zenith Community Discuss ideas and issues with peers
- CXO REvolutionaries Events, insights, and resources for CXOs
- Training and Certifications Ongoing programs via Zero Trust Academy
- Cloud Security Alliance Securing the cloud through best practices
- Events Upcoming opportunities to meet with Zscaler
![Zscaler resources]( "Zscaler resources")
- Company
- About Zscaler How it began, where it’s going
- Leadership Meet our management team
- Investor Relations News, stock information, and quarterly reports
- Customers Learn about their transformation journeys
- Compliance Our adherence to rigorous standards
- ESG Our Environmental, Social, and Governance approach
- Events Upcoming opportunities to meet with Zscaler
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler Careers
Apply NowJoin a recognized leader in Zero trust to help organization transform securely
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler Careers
Apply NowJoin a recognized leader in Zero trust to help organization transform securely
- Partner Portal Tools and resources for Zscaler partners
- Summit Partner Program Collaborating to ensure customer success
- System Integrators Helping joint customers become cloud-first companies
- Service Providers Delivering an integrated platform of services
- Technology Deep integrations simplify cloud migration
- Partner Inquiry Become a Zscaler partner
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler Careers
Apply NowJoin a recognized leader in Zero trust to help organization transform securely
Ransomware
FTCODE Ransomware — New Version Includes Stealing Capabilities
Recently, the Zscaler ThreatLabZ team came across PowerShell-based ransomware called “FTCODE,” which targets Italian-language users. An earlier version of FTCODE ransomware was being downloaded using a document file that contained malicious macros. In the recent campaign, the ransomware is being downloaded using VBScript.
Figure 1: FTCODE downloaders observed in the Zscaler cloud (Office documents in red and VBScripts in yellow)
The latest version we’ve seen in the Zscaler cloud contains version number 1117.1. We also came across this malware with version numbers from 1001.7 to 1117.1. In this blog, we’ll describe the infection method and its techniques for stealing credentials.
Technical details
Infection starts with spam emails containing malicious macro documents and, more recently, containing links to VBScripts that further download a PowerShell script known as FTCODE ransomware. Once a user executes the VBScript, it executes the PowerShell script shown in the screenshot below.
Figure 2: PowerShell script to download a decoy image and the ransomware
The script first downloads a decoy image into the %temp% folder and opens it trying to trick users into believing that they simply received an image, but in the background, it downloads and runs the ransomware.
Figure 3: Decoy image
The downloaded script is saved in %Public%\Libraries\WindowsIndexingService.vbs. The screenshot below displays the command-and-control (C&C) request for downloading the VBScript.
Figure 4: C&C communication request to download VBScript
Persistence
Further, the malware creates a shortcut file called windowsIndexingService.lnk in the victim’s startup folder, so it will execute at every reboot. The shortcut file executes the %Public%\Libraries\WindowsIndexingService.vbs. It also creates a scheduled task named WindowsApplicationService for executing the WindowsIndexingService.vbs file.
FTCODE checks if the file \%temp%\quanto00.tmp exists. If the file exists and was created more than 30 minutes ago, FTCODE will write the current time in the file; otherwise, it will exit the script. It also checks for the file %public%\OracleKit\w00log03.tmp that contains GUID; if it doesn’t find the file, it writes GUID into the file w00log03.tmp and changes the file attribute to hidden.
C&C communication
The malware sends information to its C&C as shown in the screenshot below.
Figure 5: Sending data to the C&C
- ver = 1117.1 version
- vid = vb5, specific campaign identifier
- guid = GUID
- ext = first 6 characters of newly generated GUID (Extension of encrypted file)
- r1 = base 64 encoded (base 64 encode(encrypted (8 character GUID + 42 random characters)); Base 64 encoded(encrypted((Random 23 + Random 11))))
The malware creates random characters and is encrypted using the RSA algorithm. The RSA key is hardcoded in the script. Those randomly generated strings are used to generate a password.
After getting a response from the server, the malware writes the current date-time into /%temp%/quanto00.tmp. If it doesn’t get any response, it will terminate itself. After that, it sends another post request to the C&C server with the &status=start parameter as shown below and starts the encryption process.
Figure 6: Sending status update to C&C
Encryption
The malware searches for all drives with at least 50kb of free space and starts encrypting the files with the extensions below.
Figure 7: Extension list for encryption
FTCODE generates a password using GUID and a random character set generated earlier. It uses Rijndael symmetric key encryption to encrypt the 40960 bytes of each of the above extension files. The initialization vector is based on 11 randomly generated characters.
Figure 8: Encryption code
After encrypting files, FTCODE appends the extension to the “first 6 characters of newly generated GUID” and drops the ransom note "READ_ME_NOW.htm" in the directory that contains the encrypted files. The personal ID in the ransom note is the newly generated GUID.
Figure 9: Ransom note
The earlier FTCODE version’s encryption key was generated based on a hardcoded string "BXCODE hack your system" and randomly generated key. The earlier version’s initialization vector was based on the hardcoded string "BXCODE INIT." The earlier version (1001.1) of FTCODE adds the .FTCODE extension after encryption. All versions use the same ransom note.
Stealer capability
The latest version of FTCODE added stealing functionality which was absent in earlier versions. It steals credentials from the browsers below as well as email clients.
- Internet Explorer
- Mozilla Firefox
- Mozilla Thunderbird
- Google Chrome
- Microsoft Outlook
Internet Explorer
The script steals the stored credentials from the Internet Explorer web browser and gets the history folder using $shell.NameSpace(34). It takes history details and decrypts the stored credentials from information in the registry HKCU:\Software\Microsoft\Internet Explorer\IntelliForms\Storage2. It also checks to see if the operating system is above Windows 7, then it fetches credentials from the vault as shown in the code below.
Figure 10: Code to steal credentials from vault
Mozilla Firefox and Mozilla Thunderbird
The script checks the below paths and fetches the credentials from the Mozilla Firefox browser and the Mozilla Thunderbird email client.
- SystemDrive\Program Files\Mozilla Firefox
- SystemDrive\Program Files\Mozilla Thunderbird
- SystemDrive\Program Files (x86)\Mozilla Firefox
- SystemDrive\Program Files (x86)\Mozilla Thunderbird
Google Chrome
The script steals credentials from the Google Chrome browser from the file \%UserProfile%\AppData\Local\Google\Chrome\User Data\*\Login Data.
Figure 11: Code to steal credentials from the Google Chrome browser
Microsoft Outlook
The script steals saved credentials by accessing the following registry key.
- HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*
- HKCU:\Software\Microsoft\Office\1[56].0\Outlook\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*
Next, it sends a post request with the guid=temp_1235266078&crederror=start chooseArch data to kind.its1ofakind[.]com. Further, it sends the stolen data to its C&C as shown in the below screenshot.
Figure 12: Sending stolen credentials to C&C
- guid = hardcoded in script
- cred = stolen credentials
The stolen credentials are in the below format. Username and password are Base64 encoded.
Format: {"URL":[{"Username":"Password"},{"Username":"Password"}]
Finally, after sending data, it sends a post request with guid=temp_1235266078&crederror=SUCCESS.
Conclusion
The FTCODE ransomware campaign is rapidly changing. Due to the scripting language it was written in, it offers multiple advantages to threat actors, enabling them to easily add or remove features or make tweaks much more easily than is possible with traditionally compiled malware. The Zscaler ThreatLabZ team continues to monitor this threat and others to ensure that Zscaler customers are protected.
IOCs:
Md5
- d597ea78067725ae05a3432a9088caae
- c8a214f432fc9d74c913c02e7918fc0
- f96253923e833362ecac97729d528f8c
- cc0f64afa3101809b549cc5630bbd948
- 328ce454698307f976baa909e5c646c7
- 71a8d8c0543a99b8791e1cfaeeeb9211
- f0aa45bb9dd09cfac9d93427a8f5c72c
- d6da191bfc5966dd4262376603d4e8c1
- cc5946ce893ff37ace8de210923467a2
- 7f5bb4529b95a872a916cc24b155c4cc
- edd5fbe846fa51f3b555185627d0d6c5
- a2e88f9486cc838eae038a8ba32352f3
- eab63ee2434417bc46466df07dc6b5b5
- fd46c05b99d00e11d34b93eae2c7ff2b
- 98d2221445c2c8528cef06e4ef3c9e36
URLs:
- luigicafagna[.]it
- home[.]southerntransitions[.]net
- nomi[.]tugnutz[.]com
- home[.]ktxhome[.]com
- dhol[.]rkeindustries[.]net
- way[.]securewebgateway[.]com
- stats[.]thomasmargiotti[.]com
- pups[.]pupusas[.]net
- print[.]impressnaples[.]com
- print[.]impress-screen-printing[.]com
- power[.]hagertyquote[.]com
- men[.]unifiedthreatmanagementutm[.]com
- kind[.]its1ofakind[.]com
- ese[.]emarv[.]com
- ehuxmtkxmdqy[.]top
- connect[.]simplebutmatters[.]com
- connect[.]heritageagencies[.]com
- ceco[.]heritageins[.]co
- cdn[.]danielrmurray[.]com
- bxfmmtkxmdqy[.]top
- biz[.]lotsofbiz[.]com
- amq1mtkxmdqy[.]top
- ahmwmtkxmdqy[.]top
- agvlmtkxmtq4[.]top
- agvlmtkxmdqy[.]top