As part of their work to help organizations defend themselves against ransomware, iDefense analysts have uncovered important details about the command-and-control (C2) communications in a potentially dangerous new PXJ ransomware variant.
Reverse engineering reveals that this new strain has reached a more worrisome stage in its development. With the addition of C2 communications, it can now let attackers know whether their attempted infection has been successful. It also may be able to report back on the most effective infection vectors, thus helping threat actors refine their tactics.
A potential long-term threat
iDefense researchers often reverse-engineer new malware that has changed significantly in a short period of time. In the case of PXJ ransomware, the two earliest unpacked samples relied on email communications, while this latest variant ups the ante by employing very basic C2 communications. It’s difficult to predict for sure, but this ransomware could pose a long-term threat.
Table 1 summarizes some basic information about the unpacked samples and their ‘packers,’ which are often used to stop security products from detecting malware – and to hinder analysis. In this case, the developers behind the PXJ ransom coded all the unpacked samples of ransomware in C++ and used C++ to create the packer for Sample 1. They used Delphi to create the two packers for Sample 3 (the latest variant). To iDefense’s knowledge, there has never been a packer for Sample 2.
The major difference among the three samples is that Sample 3 communicates with a C2 server. Sample 1 and 2 do not. In addition, Sample 3 drops a different ransom note to the desktop and root drive; this new ransom note (see Exhibit 1) is embedded in the ransomware but not encoded as in Sample 1 and 2. In all three samples, the ransomware adds the “pxj” extension to the filename of the files it encrypts; this extension is how the ransomware got its name.
Exhibit 1: New PJX Ransom Note. Copyright © 2020 Accenture. All rights reserved.
Sample 3 of the PXJ ransomware communicates with its C2 server just after the ransomware drops the empty `Res.AAABANIx93RdufO4` file and the `LOOK.txt` ransom note to the victim system’s desktop. The ransomware uses the string `K \t %d/%d/%d %d:%d:%d \t %s \t AAABANIx93RdufO4` with the following argument list to build the unencoded token value for the query string of the C2 URL:
- Year from system time
- Month from system time
- Day from system time
- Hour from system time
- Minute from system time
- Second from system time
The string `K \t %d/%d/%d %d:%d:%d \t %s \t AAABANIx93RdufO4` transforms into a string with the format `KK \t [year]/[month]/[day] [hour]:[minute]:[second] \t [computer name \t AAABANIx93RdufO4`. Exhibit 2 shows the assembly code and formatting of the unencoded token value.
Once the unencoded token value is Base64-encoded, the ransomware replaces the `%s` in the string "/bbs/do.php?token_value=%s" with this Base64-encoded token value. This string replacement creates the path and query string of the C2 URL. As seen in Exhibit 3, the ransomware checks in with its C2 server at pediitn.co[.]kr through an HTTP GET request using:
- The user agent `Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko`
- The path and query string `/bbs/do.php?token_value=[Base64-encoded string for system time and computer name]`
Once this initial status check-in completes, the ransomware ceases to communicate with its C2 server. At this point, the ransomware has sent the victim's computer name to the C2 server to identify the victim and has also sent the string `AAABANIx93RdufO4` to identify the ransomware. Once the ransomware tries to transmit the C2 request, it proceeds to encrypt files, despite the status of the transmission. PXJ’s C2 communications map to the MITRE ATT&CK techniques through the C2 tactic for techniques “Data Encoding” and “Standard Application Layer Protocol.”
How does this threat map to MITRE ATT&CK techniques?
To mitigate this threat, iDefense recommends ensuring appropriate mitigations are in place for the following MITRE ATT&CK techniques.
How to identify the threat
iDefense recommends searching for its presence in network logs, system, or on disk of the following artifacts:
- Network: Presence of HTTP to:
- System: Presence of the following artifacts:
- Mutants and Named Pipes:**
- Sessions\1\BaseNamedObjects\XVFXGW DOUBLE SET
- On-disk Artifacts:
- Files with the extension `.pxj`
- Mutants and Named Pipes:**
iDefense also suggests leveraging the following YARA rule for in-memory hunting/detection:
author = "iDefense"
date = "05-07-2020"
description = "PXJ Executable Email or C2 Versions"
hash_1 = "b11252ad2beabb3fe5c566153efc3176"
hash_2 = "5dc438c8c9ab91ccadba1de82ab481d9"
hash_3 = "7f8c74dc5cef87ef3098cd8bcd875c51"
$str1 = "look.txt" nocase wide ascii
$str2 = "AAABANIx93RdufO4" nocase wide ascii
$str3 = "bcdedit" ascii
$str4 = "PXJ" nocase wide ascii
$str5 = "vssadmin" nocase
$str6 = "XVFXGW DOUBLE SET" nocase wide ascii
$str7 = "/bbs/do.php?token_value="
$str8 = "protonmail.com"
6 of them
To protect against ransomware in general, please see our “2019 CYBER THREATSCAPE REPORT.” For more information on how the iDefense team works to track and monitor cyber threat and attacks, please visit our cyber threat intelligence services overview page.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved.