{
	"id": "91aeafaf-429d-4ace-9af5-5bf25e9adb40",
	"created_at": "2026-04-06T00:06:21.468495Z",
	"updated_at": "2026-04-10T03:21:19.808939Z",
	"deleted_at": null,
	"sha1_hash": "f7b96787c1310299be55d9c54b603066414627e8",
	"title": "Malware Tales: FTCODE",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 315584,
	"plain_text": "Malware Tales: FTCODE\r\nArchived: 2026-04-05 16:08:32 UTC\r\nSummary\r\n1. The Threat\r\n2. Payload Delivery\r\n3. Environment Preparation\r\n4. Ransomware Attack\r\n5. Version Changes\r\n6. Conclusion\r\n7. Suricata IDS Signatures\r\n8. IoC\r\n1.The Threat\r\nMalicious actors are evolving and trying new ways to infect computers.\r\nAt the start of this year, a specific actor started to leverage a legitimate certified mail service, mainly used in Italy,\r\ncalled PEC. This service is particularly trusted by its users and is commonly used to deliver electronic invoices.\r\nTherefore, it’s of special interest because it’s easier to lure potential victims with malicious emails that refer to\r\nfake invoices.\r\nUntil the last week, the Gootkit banker was delivered as the final payload of the infection chain.\r\nDuring this year, the way to deliver this threat changed: they started to leverage a new simple but effective\r\ndownloader dubbed as JasperLoader to deliver upgrades and additional modules when needed. Talos research.\r\nHowever, even if sophisticated, Gootkit is old malware. Also, it does not monetize fast and does require special\r\ninteraction by the user. So, they have started experimenting with ransomware, maybe to understand if they can get\r\nmore from this kind of infection.\r\nWe are talking about a raw ransomware fully written in Powershell code, called FTCODE.\r\nEven if the name could seem new, the first appearance of this threat was in 2013, as stated by Sophos. Then,\r\nalmost nothing was seen for about 6 years. Strange, but we have to remember that technology changes. Windows\r\nXP was widespread at that time and, by default, Powershell is installed only from Windows 7 on. That can be a\r\nproblem because actors need to install powershell itself before running ransomware. Also, cyber security was not\r\nmature as it is nowadays so, for instance, classic Zeus-like bankers were more effective.\r\nIndeed, last year we saw the arrival of a new downloader and backdoor written in Powershell that was called\r\nsLoad and it’s still being actively distributed Certego sLoad analysis.\r\nhttps://www.certego.net/en/news/malware-tales-ftcode/\r\nPage 1 of 7\n\nKISS (“keep it simple and stupid”) they teach you during software engineering courses. So, why strive with\r\nsophisticated malware when with a bunch of code written in Powershell you can perform every kind of\r\nwickedness?\r\nSo let’s dive in more technical details to understand how FTCODE works.\r\nMainly we analyzed two samples from two different campaigns:\r\nversion 930.5, md5: a5af9f4b875be92a79085bb03c46fe5c, day: 01/10/2019\r\nversion 1001.7, md5: 8d4c81e06b54436160886d78a1fb5c38, day 02/10/2019\r\n2.Payload Delivery\r\nAs stated before, the user receives an email that refers to a fake invoice with an attached document called\r\n\"Fattura-2019-951692.doc\". The threat actor leverages a commonly used template to trick the user to disable the\r\n“Protected View” mode and to trigger the execution of the malicious macro.\r\nOnce enabled, the macro runs and spawns the following Powershell process:\r\nThe result is the download of a piece of Powershell code that is run using the \"Invoke-Expression\" command\r\n(“iex”). Note that the function “DownloadString” saves the result of the request only in memory, in an attempt to\r\navoid antivirus detection.\r\nThe new Powershell code is FTCODE itself. On execution, it performs the following GET request:\r\nto download a Visual Basic Script file and save it in \"C:\\Users\\Public\\Libraries\\WindowsIndexingService.vbs\".\r\nhttps://www.certego.net/en/news/malware-tales-ftcode/\r\nPage 2 of 7\n\nThis is a variant of JasperLoader, a simple backdoor that is able to download further payloads.\r\nThen, it tries to create a shortcut file called \"WindowsIndexingService.lnk\" in the user's startup folder that runs the\r\nJasperLoader. Finally, to achieve persistence after reboot, it creates a scheduled task called\r\n\"WindowsApplicationService\" pointing to the shortcut file.\r\n3.Environment Preparation\r\nAfter having installed the JasperLoader backdoor, FTCODE starts to prepare the environment for the ransomware\r\nattack.\r\nIt verifies if the file \"C:\\Users\\Public\\OracleKit\\w00log03.tmp\" exists. If yes, it would check the presence of some\r\nfiles with the extension \".FTCODE\" in all the drives with at least a free space of 50 KB. If there are some, it\r\nmeans that the machine was already attacked by the ransomware, maybe by a previous version: therefore, it would\r\nexit.\r\nDe facto, this indicator can be used to “vaccinate” the endpoints from this threat. It’s enough to create the\r\nmentioned file with any kind of content to let FTCODE believe that the computer was already infected.\r\nAfterwards it generates a random globally unique identifier (GUID) and a password consisting of 50 characters\r\nwith at least 4 non-alphanumeric characters.\r\nThen we found a hardcoded RSA public key that is used to encrypt the password. In this way the password cannot\r\nbe deciphered without the proper private key controlled by the malicious actor and can be sent, in a secure way, to\r\nthe attacker’s server.\r\nSurprisingly, the encrypted password, after being generated, is never used elsewhere in the code and, instead, is\r\njust sent the basic base64-encoded password to the attacker’s server.\r\nThe consequence is that, if the traffic against the attacker’s server is being monitored, it’s possible to retrieve\r\nthe key that will be used to decipher the files, without paying any ransom.\r\nWe believe that this mistake will be corrected in future versions.\r\nhttps://www.certego.net/en/news/malware-tales-ftcode/\r\nPage 3 of 7\n\nAfter that error, FTCODE performs a POST request to the following URL:\r\nver=930.5, version number\r\nvid=dpec2, probably to identify the campaign\r\npsver=Powershell Major Version, probably to understand if FTCODE needs an update from JasperLoader\r\nguid=the GUID generated previously, to identify the victim\r\nek=the previously generated password encoded in base64\r\nif the server response is \"ok\", it creates the file \"C:\\Users\\Public\\OracleKit\\w00log03.tmp\" containing the\r\nGUID. If the server response is different, it would exit. This is another protection mechanism to evade\r\nexecution in simulated environments.\r\nAfterwards, it tries to run the following commands that are commonly used by almost every ransomware to avoid\r\nthe chance that the victim can recover the encrypted files without paying:\r\nSimilar behaviour is performed by Sodinokibi: Certego blog\r\n4.Ransomware Attack\r\nAt this moment, everything is ready to perform the real attack phase.\r\nFTCODE checks for all the drives with at least 50 KB of free space and it looks for all the files with the\r\nfollowing extensions:\r\nhttps://www.certego.net/en/news/malware-tales-ftcode/\r\nPage 4 of 7\n\nThen, it encrypts the first 40960 bytes of each of them using the “Rijndael symmetric key encryption”. The key is\r\ncreated based on the previous generated key and the hardcoded string “BXCODE hack your system”. The\r\ninitialization vector is also based on another hardcoded string (\"BXCODE INIT\").\r\nFinally it appends the extension \".FTCODE\" and creates the file \"READ_ME_NOW.htm\" in the folders that\r\ncontain the encrypted files. We are talking about the classic ransom note with instructions on how to recover the\r\nencrypted file.\r\nhttps://www.certego.net/en/news/malware-tales-ftcode/\r\nPage 5 of 7\n\n5.Version Changes\r\nWe believe that this ransomware is in active development. Just one day after the delivery of the version 930.5, we\r\nsaw another version distributed (1001.7). Malware authors noticed that, in the first version, there was no\r\nmechanism to tell the threat actors if the file encryption was successful or not. So, they added other 2 lines of code\r\nthat trigger other 2 C\u0026C POST requests with the following new parameters:\r\nstatus=”start” or “done”\r\nres=number of successfully encrypted files\r\n6.Conclusion\r\nActors change their tactics faster and faster. But we understood that they could be lazy and they can make\r\nmistakes too. They are humans after all.\r\nSome of them are starting to prefer ransomware like FTCODE over classic infostealers and bankers.\r\nAlso, we found that, monitoring the network traffic, it’s possible to retrieve they key used to encrypt the files.\r\nSo, it’s important to continuously monitor your own assets, both on a network and an endpoint level, to fight\r\nagainst these kind of threats.\r\nCertego Threat Intelligence Team has been studying upcoming cyber threats for years in order to provide the\r\nbest protection to their customers.\r\n7.Suricata IDS Signatures\r\nhttps://www.certego.net/en/news/malware-tales-ftcode/\r\nPage 6 of 7\n\n8.IoC\r\nAuthor\r\nMatteo Lodi, Threat Intelligence Lead Engineer; Marco Bompani, Security Analyst\r\nSource: https://www.certego.net/en/news/malware-tales-ftcode/\r\nhttps://www.certego.net/en/news/malware-tales-ftcode/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.certego.net/en/news/malware-tales-ftcode/"
	],
	"report_names": [
		"malware-tales-ftcode"
	],
	"threat_actors": [],
	"ts_created_at": 1775433981,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7b96787c1310299be55d9c54b603066414627e8.pdf",
		"text": "https://archive.orkl.eu/f7b96787c1310299be55d9c54b603066414627e8.txt",
		"img": "https://archive.orkl.eu/f7b96787c1310299be55d9c54b603066414627e8.jpg"
	}
}