The recently discovered ransomware FTCODE has evolved to include new information-stealing capabilities, and is now infecting victims via VBScript links in phishing emails.

Researchers from the Zscaler ThreatLabZ team, who say they first discovered the PowerShell-based malware, detailed the latest changes in a blog post late last week.

The new iteration, version 1117.1, contains code that steals credentials from Internet Explorer, Mozilla Firefox and Thunderbird, Google Chrome and Microsoft Outlook.

When a target clicks on a VBScript link within the phishing email, the FTCODE PowerShell script is loaded. “The script first downloads a decoy image into the %temp% folder and opens it trying to trick users into believing that they simply received an image, but in the background, it downloads and runs the ransomware,” explain Zscaler researchers and blog post authors Rajdeepsinh Dodia, Amandeep Kumar and Atinderpal Singh.

Prior to leveraging VBScript links, FTCODE’s distributors had been sending out spam emails with attached documents containing malicious macros that, when opened, infected the target.

The ransomware component works by searching drives with a minimum of 50kb of free space and a wide range of file types within them. It reportedly uses AES encryption to scramble the affected files, then instructs victims in a note to download the Tor browser, open a specific link and follow instructions to pay up.