Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about the case analysis of the new FTCode non-file blackmail virus spread by spam. many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

At present, the blackmail virus is still the biggest threat in the world. in recent years, there are more and more blackmail virus attacks against enterprises, and new types of blackmail viruses continue to emerge. Enterprises must maintain a high degree of attention. Most of the blackmail viruses cannot be decrypted. Recently, foreign security researchers have found a blackmail virus FTCode based on PowerShell scripts, which is mainly spread through spam.

An independent malware security researcher abroad has exposed a new type of FTCode PowerShell blackmail virus, as follows:

This blackmail virus is mainly spread through spam. The spam sent will be attached with a compressed package containing a malicious DOC document. Download it from app.any.run to the corresponding DOC sample, and open the DOC file, as shown below:

Start the malicious macro code, and the corresponding document contents are as follows:

Malicious macro code to start the PowerShell process to execute the script, as shown below:

Download PowerShell script execution from a malicious server, server URL address:

Hxxp://home.southerntransitions.net/?need=9f5b9ee&vid=dpec2&81038

Open the malicious server script, as follows:

Download the VBS script from the malicious server, and then set the scheduled task self-startup entry, as follows:

The corresponding scheduled task self-launch item, WindowsApplicationService, is as follows:

The contents of the malicious server URL:hxxp://home.southerntransitions.net/?need=6ff4040&vid=dpec2&, script are as follows:

The decrypted VBS script is a PowerShell script, as shown below:

After decrypting the PowerShell script again, a malware downloader will download and install other malware, as shown below:

After downloading the VBS script and setting up the scheduled task, the FTCode PowerShell malicious script decrypts the built-in string to generate an RSA encryption key, as shown below:

Delete disk shadow, operating system backup, etc., as follows:

Then start encrypting the file, encrypting the specified file suffix with the name FTCODE, as shown below:

The encrypted file is as follows:

A blackmail prompt HTM file READ_ME_NOW.htm is generated in each encrypted file directory, as follows:

After reading the above, do you have any further understanding of the case analysis of the new FTCode undocumented blackmail virus spread by spam? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.