Rewterz Threat Alert – Iranian APT Group “MuddyWater” Resurfaces
January 20, 2020Rewterz Threat Alert – Emotet Malware Using Extortion Templates and Installing Additional Malware
January 21, 2020Rewterz Threat Alert – Iranian APT Group “MuddyWater” Resurfaces
January 20, 2020Rewterz Threat Alert – Emotet Malware Using Extortion Templates and Installing Additional Malware
January 21, 2020Severity
High
Analysis Summary
The FTCode Ransomware has undergone some development and is now fit to harvest credentials from browsers and email clients. Being fully developed in PowerShell allows it to encrypt its targets’ devices without having to download additional components, while also making it very easy for its developers to add new functionality.
The newly added info stealer functionality allows FTCode to harvest and exfiltrate the stored credentials before encrypting its victims’ files. Credentials stored in both web browsers (Internet Explorer, Mozilla Firefox, Google Chrome) and email clients (Mozilla Thunderbird and Microsoft Outlook) are stolen by FTCode.
The FTCode ransomware arrives on its victims’ computers via spam emails containing malicious Word documents camouflaged as invoices, document scans, and resumes, which will drop the JasperLoader malware downloader and then encrypts the device.
Impact
- Files Encryption
- Credential Theft
- Data Exfiltration
Indicators of Compromise
Domain Name
- amq1mtkxmdqy[.]top
- luigicafagna[.]it
- bxfmmtkxmdqy[.]top
- agvlmtkxmtq4[.]top
- agvlmtkxmdqy[.]top
- ahmwmtkxmdqy[.]top
- ehuxmtkxmdqy[.]top
Hostname
- kind[.]its1ofakind[.]com
- cdn[.]danielrmurray[.]com
- print[.]impressnaples[.]com
- home[.]southerntransitions[.]net
- nomi[.]tugnutz[.]com
- power[.]hagertyquote[.]com
- men[.]unifiedthreatmanagementutm[.]com
- home[.]ktxhome[.]com
- connect[.]simplebutmatters[.]com
- pups[.]pupusas[.]net
- ceco[.]heritageins[.]co
- stats[.]thomasmargiotti[.]com
- way[.]securewebgateway[.]com biz[.]lotsofbiz[.]com
- connect[.]heritageagencies[.]com
- ese[.]emarv[.]com
- print[.]impress-screen-printing[.]com
- dhol[.]rkeindustries[.]net
MD5
- 328ce454698307f976baa909e5c646c7
- fd46c05b99d00e11d34b93eae2c7ff2b
- f0aa45bb9dd09cfac9d93427a8f5c72c
- cc0f64afa3101809b549cc5630bbd948
- edd5fbe846fa51f3b555185627d0d6c5
- 71a8d8c0543a99b8791e1cfaeeeb9211
- 98d2221445c2c8528cef06e4ef3c9e36
- d597ea78067725ae05a3432a9088caae
- 7f5bb4529b95a872a916cc24b155c4cc
- cc5946ce893ff37ace8de210923467a2
- a2e88f9486cc838eae038a8ba32352f3
- f96253923e833362ecac97729d528f8c
- eab63ee2434417bc46466df07dc6b5b5
SHA-256
- ae969f37254e700150cce72f8a15822220c2b87c76baab06174aaab9d464f16d
- af2a829023c1d39d1f6977e9a2f0bbf5969d141d0c514bc6a0be2cedd581ea2b
- abef1f951bd1e29ae09ae6a70ee6f84cd4f670ac43c03e265eaab6d76935261f
- 0f6497ec74e0417d99948335224c55e8aa28cb0faddb901777c3aced9a9d9875
- 5c159f44a6bd3c58cc59c7f3497820a3008c77dde5c578c14f8feef1f021ef85
- fe6e31e4261e584ad81c0375380ffbb134001941fb314274025aabdc7277e28a
- 7c0cd6a39c2aa9f8c58bcb54507cb77a253aa13070aa7486abffed2fe101870d
- 1c85619458933fb6fefdb2d9a3c19dfb915051ef824b58220672483a37a443a5
- e7d1771806a348f52e0f288ffd57af7921ef5631de5fbdf2e7c6ef25ee280895
- 549ae329ae9f8214de007b3593c21ff02ed5131a13f19ed2dd49feac3da073f7
- 8636d525567fe8add30935dc6f1a279c21b74dd5cdaca735db8eb413994507c0
- d5f9748e21547675dc454ca6e1131a30e99ada71464bc07797ce804a24b64fd6
- be5b7511c382087c21c3c20b5681721b4c4355ae9cdd46f4aeb1bf9479980e24
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Do not enable macros for files that are downloaded unintentionally.