Pay2Key Ransomware Campaign Tied to IranClearSky Researchers Say Hacks Targeting Israeli Firms Linked to APT Group 'Fox Kitten'
Over the past two months, several Israeli firms have been targeted with a ransomware variant called Pay2Key. Now, security firm ClearSky says the crypto-locking malware is linked to Fox Kitten, an Iranian threat group.
Pay2Key is a relatively new ransomware variant first spotted in November by Check Point Research. Several Israeli businesses and organizations that have sustained attacks by what they believed were ransomware strains such as Ryuk and REvil were actually hit by Pay2Key, according to Check Point (see: Pay2Key Ransomware Hits Israeli Targets).
"We estimate with medium to high confidence that Pay2Key is a new operation conducted by Fox Kitten, an Iranian APT group that began a new wave of attacks in November-December 2020 that entailed dozens of Israeli companies," according to the ClearSky report. Fox Kitten is also known as Pioneer Kitten and Parasite.
And while Check Point notes that some of the attacks associated with the Pay2Key ransomware have included a ransom note demanding payment of seven to nine bitcoins, or up to $140,000, ClearSky researchers say the attackers' have other motives.
"The attacker 'modus operandi' was to execute a ransomware attack, potentially to mislead the victim, penetrating to companies' internal networks to encrypt servers and workstations, steal and leak information and conduct 'supply chain attacks' by compromising companies using obtained accessibility or information in breached companies," according to the ClearSky report.
Data exfiltrated from victims is being posted to Telegram and Twitter as well as darknet websites, ClearSky says.
Check Point researchers note that Pay2Key targets vulnerable Remote Desktop Protocol connections in Windows devices as part of the initial infection. The attackers then map the network and take steps to ensure persistence while avoiding detection by security tools.
The ransomware, compiled in the C++ programming language, can use both RSA and AES algorithms to encrypt files during an attack, according to Check Point. Pay2Key also uses Windows' PsExec feature, a command-line tool that lets the user execute processes on remote systems.
The ClearSky researchers say they found overlaps between previous attacks associated with the Fox Kitten hacking group and the deployment of the Pay2Key ransomware.
For example, the Fox Kitten hackers have previously exploited vulnerabilities in VPNs to gain initial footholds in networks, and similar techniques were used with the Pay2Key attacks.
ClearSky also found overlap between the command-and-control infrastructure used in previous Fox Kitten campaigns and these newer ransomware attacks. Plus, all the campaigns used similar malicious tools for data exfiltration.
ClearSky says these attacks are likely an outgrowth of geopolitical tensions between Israel and Iran that have developed over the last several months, especially after an Iranian nuclear scientist was killed.
"We estimate that this campaign is part of the ongoing cyber confrontation between Israel and Iran, with the most recent wave of attacks causing significant damage to some of the affected companies," ClearSky says.
Fox Kitten, which has been active since at least 2017, has targeted organizations and government agencies in the U.S., the Middle East and Israel. The hacking group has recently started selling access to vulnerable corporate and government networks on underground sites, according to CrowdStrike (see: Iranian Hackers Reportedly Selling Network Access to Others).
In February, ClearSky reported that FoxKitten had previously worked with other Iranian-linked groups, such as OilRig and Shamoon, to provide them with access to vulnerable networks.