Open Nav
Sign Up

Defending against the “Pay2key” cyber campaign

Ben Brauner

December 16, 2020

Cyber Incident Response

Pay2key – December 2020

Over the last 10 days, OP Innovate has handled a number of cyber incidents resulting from the Iranian ‘Pay2key’ campaign. This intelligence gathering and ransomware campaign has targeted over 80 Israeli organizations thus far, and if successful, would have paralyzed significant sectors of the Israeli industry.

Incident Response Methodology

An incident response methodology coalesces is a number of procedures which aim to identify, investigate, handle and then learn from security incidents. The methodology seeks to minimize impact and downtime, bring about rapid recovery, and feed into an iterative feedback loop which strives to decrease future recurrence. 

The commonly accepted incident response phases are:

This document focuses on the detection, containment and eradication of the “Pay2key” cyber campaign.

Go to the Windows Task Scheduler and identify the newly created task named “VerifiedPublisherCertStoreVerify”. It appears in the \Microsoft\Windows\AppID directory and replaces the existing legitimate Windows task of the similar name (VerifiedPublisherCertStoreCheck) (figure 1).

Figure 1: Task Scheduler showing the disabled legitimate task and its persistent malicious replacement

Investigation of the malicious task shows that it runs an application masquerading as a Windows application each day at 9am. The name of this application is sccm.exe, and mimics the Windows System Center Configuration Manager (SCCM). Use of a legitimate Windows application name may help the malware file to evade some antivirus software which looks for unknown file names. 

This malware file is located in the c:\windows\speech folder. Its location is a further effort to evade the AV software (figure 2).

Figure 2: Malware location

Eradication action items: 

  • The malicious scheduled task must be deleted.
  • The malware file found in c:\windows\speech\sccm.exe must be deleted.

A further artifact found was the creation of a local administrative user on the server, the account named “DefaultAccounts$” (figures 3 and 4). This seeks to mimic the “DefaultAccount”, also known as the Default System Managed Account (DSMA), a built-in account introduced in Windows 10 version 1607 and Windows Server 2016. It remains present in Windows 10, Windows Server 2016 and Windows Server 2019. The legitimate DefaultAccount user is absent since the server predates Windows Server 2016.

Figure 3: The newly created DefaultAccounts$ account

Eradication action items: 

  • The DefaultAccounts$ user must be deleted

Further recommendations to mitigate the attack:

  • Block all traffic to and from the following IPs: 63.32.140.129 , 13.81.213.207 , 162.223.91.13 
  • Reset passwords for all domain admin users, VPN users. Enable and enforce 2FA.
  • Make sure your VPN software and firewall firmware are up to date

Attack Kill Chain

If you find the the indicators of compromise (IOCs) or experience any other suspicious activity please do not hesitate to contact us: 

 

OP Innovate Ltd. © 2020 

   www.op-c.net | info@op-c.net 

Resources highlights

Adobe Patches Multiple Critical ColdFusion and Campaign Classic Vulnerabilities: CVE-2026-48282 Exploitation Observed

Adobe has released security updates for multiple critical vulnerabilities affecting Adobe ColdFusion and Adobe Campaign Classic, including several flaws rated CVSS 10.0.CVE-2026-48282, a critical ColdFusion…

Read more >

adobe_coldfusion_campaign classic_cve-2026-48282

CVE-2026-46817: Critical Oracle E-Business Suite Vulnerability

A critical vulnerability in Oracle E-Business Suite is now being actively exploited in the wild. Tracked as CVE-2026-46817, the flaw affects the File Transmission component…

Read more >

cve-2026-46817-oracle-e-business

Cisco Unified CM Vulnerability CVE-2026-20230 Targeted After Public PoC Disclosure 

Cisco has disclosed and patched CVE-2026-20230, a critical SSRF vulnerability affecting Cisco Unified Communications Manager and Unified CM SME when the WebDialer service is enabled.…

Read more >

CVE-2026-20230

Microsoft Confirms Unpatched RoguePlanet Defender Zero-Day (CVE-2026-50656)

Microsoft has confirmed a new Microsoft Defender zero-day vulnerability tracked as CVE-2026-50656 and publicly referred to as RoguePlanet. The flaw affects the Microsoft Malware Protection…

Read more >

RoguePlanet_cve-2026-50656

FortiBleed Campaign Exposes Fortinet Firewall and VPN Credentials at Scale

A large-scale credential abuse campaign dubbed FortiBleed has reportedly affected tens of thousands of Fortinet firewall and VPN devices worldwide. Public reporting indicates that threat…

Read more >

fortibleed

Fortinet FortiSandbox Under Active Attack (CVE-2026-39813 & Others)

Threat actors are actively exploiting multiple critical vulnerabilities affecting Fortinet FortiSandbox. The reported activity involves three unauthenticated vulnerabilities: CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. These flaws are…

Read more >

cve-2026-39813
Under Cyber Attack?

Fill out the form and we will contact you immediately.