The recently discovered ransomware FTCODE has evolved to include new information-stealing capabilities, and is now infecting victims via VBScript links in phishing emails.
Researchers from the Zscaler ThreatLabZ team, who say they first discovered the PowerShell-based malware, detailed the latest changes in a blog post late last week.
The new iteration, version 1117.1, contains code that steals credentials from Internet Explorer, Mozilla Firefox and Thunderbird, Google Chrome and Microsoft Outlook.
When a target clicks on a VBScript link within the phishing email, the FTCODE PowerShell script is loaded. “The script first downloads a decoy image into the %temp% folder and opens it trying to trick users into believing that they simply received an image, but in the background, it downloads and runs the ransomware,” explain Zscaler researchers and blog post authors Rajdeepsinh Dodia, Amandeep Kumar and Atinderpal Singh.
Prior to leveraging VBScript links, FTCODE’s distributors had been sending out spam emails with attached documents containing malicious macros that, when opened, infected the target.
The ransomware component works by searching drives with a m ..
Support the originator by clicking the read the rest link below.
