Rewterz

Rewterz Threat Alert – Iranian APT Group “MuddyWater” Resurfaces

January 20, 2020
Rewterz

Rewterz Threat Alert – Emotet Malware Using Extortion Templates and Installing Additional Malware

January 21, 2020

Rewterz Threat Alert – FTCODE Ransomware — New Version Harvests Saved Credentials

Severity

High

Analysis Summary

The FTCode Ransomware has undergone some development and is now fit to harvest credentials from browsers and email clients. Being fully developed in PowerShell allows it to encrypt its targets’ devices without having to download additional components, while also making it very easy for its developers to add new functionality.
The newly added info stealer functionality allows FTCode to harvest and exfiltrate the stored credentials before encrypting its victims’ files. Credentials stored in both web browsers (Internet Explorer, Mozilla Firefox, Google Chrome) and email clients (Mozilla Thunderbird and Microsoft Outlook) are stolen by FTCode.

The FTCode ransomware arrives on its victims’ computers via spam emails containing malicious Word documents camouflaged as invoices, document scans, and resumes, which will drop the JasperLoader malware downloader and then encrypts the device.

Impact

  • Files Encryption
  • Credential Theft
  • Data Exfiltration 

Indicators of Compromise

Domain Name

  • amq1mtkxmdqy[.]top
  • luigicafagna[.]it
  • bxfmmtkxmdqy[.]top
  • agvlmtkxmtq4[.]top
  • agvlmtkxmdqy[.]top
  • ahmwmtkxmdqy[.]top
  • ehuxmtkxmdqy[.]top

Hostname

  • kind[.]its1ofakind[.]com
  • cdn[.]danielrmurray[.]com
  • print[.]impressnaples[.]com
  • home[.]southerntransitions[.]net
  • nomi[.]tugnutz[.]com
  • power[.]hagertyquote[.]com
  • men[.]unifiedthreatmanagementutm[.]com
  • home[.]ktxhome[.]com
  • connect[.]simplebutmatters[.]com
  • pups[.]pupusas[.]net
  • ceco[.]heritageins[.]co
  • stats[.]thomasmargiotti[.]com
  • way[.]securewebgateway[.]com biz[.]lotsofbiz[.]com
  • connect[.]heritageagencies[.]com
  • ese[.]emarv[.]com
  • print[.]impress-screen-printing[.]com
  • dhol[.]rkeindustries[.]net

MD5

  • 328ce454698307f976baa909e5c646c7
  • fd46c05b99d00e11d34b93eae2c7ff2b
  • f0aa45bb9dd09cfac9d93427a8f5c72c
  • cc0f64afa3101809b549cc5630bbd948
  • edd5fbe846fa51f3b555185627d0d6c5
  • 71a8d8c0543a99b8791e1cfaeeeb9211
  • 98d2221445c2c8528cef06e4ef3c9e36
  • d597ea78067725ae05a3432a9088caae
  • 7f5bb4529b95a872a916cc24b155c4cc
  • cc5946ce893ff37ace8de210923467a2
  • a2e88f9486cc838eae038a8ba32352f3
  • f96253923e833362ecac97729d528f8c
  • eab63ee2434417bc46466df07dc6b5b5

SHA-256

  • ae969f37254e700150cce72f8a15822220c2b87c76baab06174aaab9d464f16d
  • af2a829023c1d39d1f6977e9a2f0bbf5969d141d0c514bc6a0be2cedd581ea2b
  • abef1f951bd1e29ae09ae6a70ee6f84cd4f670ac43c03e265eaab6d76935261f
  • 0f6497ec74e0417d99948335224c55e8aa28cb0faddb901777c3aced9a9d9875
  • 5c159f44a6bd3c58cc59c7f3497820a3008c77dde5c578c14f8feef1f021ef85
  • fe6e31e4261e584ad81c0375380ffbb134001941fb314274025aabdc7277e28a
  • 7c0cd6a39c2aa9f8c58bcb54507cb77a253aa13070aa7486abffed2fe101870d
  • 1c85619458933fb6fefdb2d9a3c19dfb915051ef824b58220672483a37a443a5
  • e7d1771806a348f52e0f288ffd57af7921ef5631de5fbdf2e7c6ef25ee280895
  • 549ae329ae9f8214de007b3593c21ff02ed5131a13f19ed2dd49feac3da073f7
  • 8636d525567fe8add30935dc6f1a279c21b74dd5cdaca735db8eb413994507c0
  • d5f9748e21547675dc454ca6e1131a30e99ada71464bc07797ce804a24b64fd6
  • be5b7511c382087c21c3c20b5681721b4c4355ae9cdd46f4aeb1bf9479980e24

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in untrusted emails. 
  • Do not enable macros for files that are downloaded unintentionally. 

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.