By: Pierguido Iezzi, Riccardo Paglia and Jim Koohyar Biniyaz
In the last two weeks companies have reported a number of attacks by a new Ransomware strain called “Pay2Key”.
Pay2Key has been developed in C++ programming language and threat actors weaponized its first iteration in October 2020.
The Swascan Cyber Security Research Team has been one of the first on the scene to help clients to investigate and remediate the risks of this new threat.
A report from Checkpoint Research Team has indicated that the same strain has been attacking Israeli companies in the same time frame.
During our most recent investigation on the matter we have been able to observe first hand the infection cycle of this new malware.
Starting with the machines struck by Pay2Key, fully updated with the latest antivirus software, that were unable to prevent the encryption.
Apart from some late “Warnings” and “Alerts” the attacker had completely encrypted the Windows Devices under the Compromised network in a matter of hours.
Most of the EDR installed on these devices had identified anomalous behavior coming from a file called “Cobalt.Client.exe”.
This .exe, we were able to observe, created an encrypted file with an unknown extension and delete another file.
The victims of the Ransom have been asked to provide between (100K-200K) in Bitcoin to get the custom Decryptor depending on the Company size and the number of compromised devices.
Key Notes
- Initial access to Patient Zero was possible through an Exposed Vulnerable Service to the internet.
- Attackers used an RDP to connect to compromised devices and use .exe to distribute the ransomware.
- Attackers might have used Ngrok as a Backdoor to the system to regain access to the infrastructure.
- Pay2Key uses AES and RSA algorithms to encrypt the victims and eventually remove all the files.
Pay2Key, the investigation
Our research began on the 27th of October 2020, when we submitted the suspicious file “Cobalt.Client.exe” for the first time to VirusTotal.com
This way we were able to confront the data and get confirmation from two Detection Engines (“Bkav” and “CrowdStrike Falcon”) that the file was indeed a malware.
We were also able to identify two other files along with “Cobalt.Client.exe”. The first, “Cobalt-Client-log”, contained logs of the malware and the second one (Config) had some configuration regarding to malware.
During this first scan we were able to confirm that Pay2Key uses AES and RSA as main algorithms for Encryption of the files as there were obvious indications in the malware strings.
Pay2Key has also shown that it is more optimized than many other Ransomware found in the wild.
While the whole encryption of the infrastructure took around 3 hours, we were also able to observe that from the creation to last modification of the file log the encryption took around 1 hour.
Pay2Key, Attack and Response Timeline
- 2020-06-28:
- KeyBase Account Create
- 2020-10-20:
- First Access to Vulnerable Device
- 2020-10-20:
- Access to other Nodes on the network
- 2020-10-26:
- Virus Compile time
- 2020-10-27:
- Install Non Malicious
- Malware Execution on Patient Zero
- First Time CERT Team on Incident and First Submit of “Cobalt.Client.exe”
Known Names and IoC:
- Cobalt.Client.exe (VT)
- (SHA-256) ea7ed9bb14a7bda590cf3ff81c8c37703a028c4fdb4599b6a283d68fdcb2613f
- (SHA-128) EAFFD4A8F3C5DFEDEA3ADBCDC06669583D6DC8D0
- (MD5) 4E615861B6D7D778FDC1AC2A61148FE9
- Cobalt.Client.exe (VT)
- (SHA-256) ea7ed9bb14a7bda590cf3ff81c8c37703a028c4fdb4599b6a283d68fdcb2613f
- (SHA-128) a048c24ebc42cb3a87dc6d0570ef157cb5479aae
- (MD5) 7db5dd6f2231da6eb07d907312b1abe9
- 7db5dd6f2231da6eb07d907312b1abe9.virus (VT)
- (SHA-256) 5bae961fec67565fb88c8bcd3841b7090566d8fc12ccb70436b5269456e55c00
- (SHA-128) c3fa78167859ba6c6b39695df0500ebbb6a77881
- (MD5) f3076add8669d1c33cd78b6879e694de
Pay2Key: IoC analysis
The first submission of the malware to Virustotal has indicated malicious behavior by two AV engines Cobalt.Client.exe
A Comprehensive sandbox analysis had shown us that “Cobalt.Client.exe” tried to send a large number of ARP broadcast requests.
After some more digging we were able to understand that the executive file create the log file upon starting time of encryption and by extracting strings from the log file it was clear that malware tried to communicate at least 3 times with a C&C server.
Pay2Key: Malware Communication
ConnectPC.exe: An in depth forensics on the Infected clients showed that the attackers have used another application called “ConnectPC.exe” to be able to access the remote clients.
Unfortunately the executable file had already been encrypted but we have successfully found enough relevant logs and crash data from the process.
dllhost.exe: A clue from Windows Event logs led us to find another tool used by attackers with the name of “dllhost.exe”. By analyzing it we were able to trace it back to a version of ngrok software.
The Ngrok Software were well hidden from the day of of the attack into the PC.
A strong hypothesis is that the attackers use ngrok for getting remote access to the infected hosts.
PSEXESVC.exe: Another Non-Malware file has been used during this attack to complete the attack chain.
With more analysis we found no traces of malicious behavior coming from this file. (VT)
Pay2Key, the threat actor:
Pay2key’s Keybase account was created on the 28/6/2020.
From the Keybase chain we understood that the threat actor has been active at least on two occasions: one of them is on the 27-10-2020 at 8:50 a.m which is on the same day of the attacks reported to us.
Pay2key profile image has been previously used by a Cryptocurrency Project with the name of “EOSIO UTXO”.
In the process of threat hunting we identified some evidence that might have been relevant to the history of Pay2Key.
MITRE ATT&CK Vector
- Persistence
- Hooking (https://attack.mitre.org/techniques/T1179)
- Kernel Modules and Extensions (https://attack.mitre.org/techniques/T1215)
- Privilege Escalation
- Hooking (https://attack.mitre.org/techniques/T1179)
- Process Injection (https://attack.mitre.org/techniques/T1055)
- Defense Evasion
- Process Injection (https://attack.mitre.org/techniques/T1055)
- Software Packing (https://attack.mitre.org/techniques/T1045)
- Credential Access
- Hooking (https://attack.mitre.org/techniques/T1179)
- Discovery
- Network Service Scanning (https://attack.mitre.org/techniques/T1046)
- Query Registry (https://attack.mitre.org/techniques/T1012)
- System Network Configuration Discovery (https://attack.mitre.org/techniques/T1016)
This article is intended to aid Security Managers, CERT teams, including security operations center (SOC) staff. Security professionals can use this intelligence to better understand Pay2Key’s behavior to identify indicators of compromise (IoCs). The provided article can also help inform ongoing intelligence analysis, forensic investigations, particularly for compromise discovery, damage control and risk minimization.