FTCode is a type of ransomware that spreads itself via spam emails, and is able to execute its PowerShell-based malicious payload in memory only, without downloading any files to disk.
It was first seen in the wild in 2013, but is now a much more serious network threat because most current Windows workstations have PowerShell installed by default.
What is FTCode?
FTCode is a strain of ransomware, designed to encrypt data and force victims to pay a ransom to release it.
It is fully written in PowerShell, meaning that it can encrypt files on a Windows device without downloading any other components.
FTCode loads its executable code only into memory, without saving it to disk, to prevent detection by antivirus.
The first appearance of FTCode was probably in 2013, and it was originally identified by Sophos. However, at the time it did not pose a serious risk because PowerShell is only installed by default from Windows 7 onwards.
Today almost all Windows machines have at least Windows 7, and so PowerShell-based malware like FTCode poses a much bigger risk.
The FTCode ransomware is primarily distributed via spam emails containing an infected Word template in Italian.
The user needs to open the attachment and disable Protected View mode, and then a malicious macro executes which runs FTCode PowerShell code.
How does the FTCode malware work?
Once a user is tricked into opening the infected Word template, and the malicious macro executes, the following steps occur.
This discussion is based on research from Certego and represents the behavior of version 930.5 of the malware, future versions may exhibit different behavior.
The macro triggers the DownloadString function, which loads the PowerShell code into memory, without saving it to disk. It uses the PowerShell iex (invoke expression) command to execute the malicious code.
FTCode is now running, it performs a GET request to download JasperLoader, a backdoor that will download additional payloads. JasperLoader is a Visual Basic script that is saved to C:\Users\Public\Libraries\WindowsIndexingService.vbs.
It creates a shortcut file called WindowsIndexingService.lnk in the user’s startup folder, and creates a scheduled task called WindowsApplicationService, in order to run the shortcut after every reboot.
When the shortcut runs, it first checks for the presence of files with extension .FTCode, and if they are present, it assumes the computer has already been attacked, and exits.
This creates a way to prevent FTCode from executing—creating a few files with .FTCode extension somewhere on the machine, with any content.
It generates a globally unique identifier and a password with 50 characters including at least four non-alphanumeric characters.
A hardcoded RSA public key is used to encrypt the password, and it can be deciphered only with the attacker’s private key. However, when communicating with the command and control server, FTCode sends an unencrypted version of the password in base64 encoding.
This means that in current variants of FTCode, monitoring communication with the attacker’s server can yield the password that can decode the user’s encrypted files.
How FTCode performs
FTCode performs a POST request to its server and transmits the version number, PowerShell version, the victim’s unique ID and the password encoded in base64.
It runs the following PowerShell commands that prevent the user from restoring their encrypted files:
bcdedit /set exgdccaxjz bootstatuspolicy ignoreallfailures
bcdedit /set exgdccaxjz recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete backup
vssadmin delete shadows /all /quiet
It checks for active disk drives and looks for files with common extensions like .mp4, .wav, .csv, .xls, etc. FTCode starts by encrypting the first bytes of each file using Rijndael symmetric key encryption, and appends the extension .FTCode.
FTCode now creates the ransom note as a file named READ_ME_NOW.htm in all folders that contain encrypted files.