Pay2Key New Variant

Executive Summary

Last week, we published a report about the ransomware group Pay2Key, and attributed them to Fox Kitten, the Iranian APT group that has operated in Israel since 2017, based on both technological and thematic similarities[1]. Monitoring this Iranian threat actor, we have identified a new version of the Pay2Key ransomware in VirusTotal. This new version appears to be a direct upgrade to the previous versions observed by CheckPoint[2].As with many other ransomware tools, the authors of Pay2Key have mainly been exploiting exposed Remote Desktop Protocol (RDP) services to infiltrate victim networks and then expand their presence. It’s possible they may be using other vectors as well.

In this “upgraded” version, new additions were added such as – encrypting the payload with a modified UPX header, Corruption of the IAT and additional code for various Anti Analysis and Debugging methods, additionally, some methods of string encryption were applied onto the binary. By comparing the versions of December against November using Bindiff we observed a 91% code match between both versions of the ransomware.

The changes observed by this report, seem as if the attacker attempted to bring a new development effort to harden analysis of the malware from reverse engineers and security products by using anti analysis methods and encryption. These methods are relatively outdated and can be easily circumvented.


[1] https://www.clearskysec.com/pay2kitten/

[2] https://research.checkpoint.com/2020/ransomware-alert-pay2key/

TTP

Initial Payload

The file is encrypted by UPX as identified by VirusTotal.

However, it does not contain the standard UPX sections and attempts to decrypt the file using standard UPX would result in failure.

This behavior indicates that the developer modified the UPX headers to harden analysis and attempt to avoid security product detection.

Addition of Defense Avoidance and Anti-Analysis

We have performed manual unpacking of the initial payload and reconstructed the PE header so we can view the ransomware code in IDA. First the ransomware will perform various debugging tricks. If one of the following checks fails, the ransomware will attempt to exit and close the program.

Following examples of the debugging tricks:

Invoking IsDebuggerPresent

Invoking CheckRemoteDebuggerPresent

Searching for Debugger Processes in Memory

Checking the PEB for the DebugFlag and the NtGlobalFlag

Performing execution time comparison using GetTickCount

Furthermore, the ransomware attempts to analyze its internal memory structure and attempts to cause exceptions by invoking debugger traps and running unexpected instructions.

Payload

Finally, the ransomware attempts to invoke the API IsDebuggerPresent (It is not clear why however, since this API was invoked at the beginning). If this second check fails the ransomware would load the string “Stop debugging program” and would begin running garbage code to delay analysis, eventually crashing the program.

If these checks pass however, the ransomware will execute as the previous versions. It seems that the developer removed the logging mechanism that documented the ransomwares behavior. Additionally, the developer attempted to add string encryption to harden analysis, but the string encryption only works some of the time as strings can be viewed directly through IDA.

Nevertheless, the developer forgot to remove information from the RTTI structure which contains all the function names and classes of the program which allowed us to identify the Pay2Key’s “Client” Class easily.

Moreover, the PDB path was changed in this version to the following:

M:\\c\\c\\Win32\Release\\Client\\c.pdb

IOCs

MD5: af8b2eb23d9860e41e83292e55e64864

SHA-1:889afcdd1086bbd976a9c137d669b3b3d086f6bb

SHA-256: 93347a47796986520d748bb6cd2385f4613169c008c686da9fe22239806845cb

Investigation Lead

A rapidly proliferating new ransomware strain that over the past two weeks has already impacted multiple large companies in Israel and a few in Europe soon could pose a major threat to organizations all over the world.

Check Point Software Technologies, which published a report today about the new so-called Pay2Key ransomware strain, said it’s almost certainly of Iranian origin and capable of encrypting an entire network in an hour or less.

In addition to encrypting networks, the Pay2Key attackers have also been stealing sensitive data from victim organizations and threatening to publicly expose the data if the demanded ransom is not paid. Pay2Key threat actors are currently demanding a relatively modest 7- to 9 bitcoins from victims, or between $113,000 and $145,500 at Thursday’s rates, according to Check Point.

At least four victims have paid the attackers to get their data back, and at least three others who refused to do so have already had their data released via a Tor website that the attackers have expressly set up for the purpose, Check Point said.

The group’s ability to synchronize attacks against several companies over a time span of a few days, its ability to encrypt an entire network in less than an hour, and its success extorting money from victims are hallmarks of a sophisticated actor, he notes.

Iran Connection

Researchers focused on bitcoin wallets in the ransom notes sent to companies who actually paid the threat actor: they then were able to track the transaction to an Iranian cryptocurrency exchange called Excoino that appears open only to Iranian citizens, based on the fact that registration requires a national ID card. For the moment, most observed attacks have targeted Israeli companies though at least one European entity has been impacted as well