New Golang Ransomware Agenda Customizes Attacks
Category

A new piece of ransomware written in the Go language has been targeting healthcare and education enterprises in Asia and Africa. This ransomware is called Agenda and is customized per victim.

We recently discovered a new piece of targeted ransomware that was created in the Go programming language and that explicitly targeted one of our customers. This was evidenced by the specific email addresses and credentials the ransomware used. Malware written in the Go language (aka Golang) has become common among threat actors. One possible reason for this uptick in popularity is that Go statically compiles necessary libraries, making security analysis much harder.

Our investigation revealed that the new ransomware in question targeted enterprises in Asia and Africa. Based on dark web posts by a user named “Qilin” (who seems to be connected to the ransomware distributors) and through ransom notes, the ransomware is called “Agenda.” 

Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run. The samples of the ransomware that we collected were customized for each victim, and they included unique company IDs and leaked account details.

Targets

All collected samples were 64-bit Windows PE (Portable Executable) files written in Go, and they were aimed at Windows-based systems. The group distributing the malware was targeting healthcare and education organizations in Indonesia, Saudi Arabia, South Africa, and Thailand. Every ransomware sample was customized for the intended victim. Our investigation showed that the samples had leaked accounts, customer passwords, and unique company IDs used as extensions of encrypted files.

We believe that Qilin (or the Agenda ransomware group) offers affiliates options to customize configurable binary payloads for each victim, including details such as company ID, RSA key, and processes and services to kill before the data encryption. Also, the ransom amount requested is different per company, ranging from US$50,000 to US$800,000.

Figure 1. An example of Qilin’s ransom negotiations

Figure 1. An example of Qilin’s ransom negotiations

Figure 2. An example of ransom amount requested by Qilin

Figure 2. An example of ransom amount requested by Qilin

Similarities with other ransomware

We noticed some similarities between Agenda and the Black Basta, Black Matter, and REvil (aka Sodinokibi) ransomware.

In terms of payment sites and the implementation of user verification on a Tor site,  Agenda is very similar to Black Basta and Black Matter. Meanwhile, Agenda shares with Black Basta and REvil the same functionality of changing Windows passwords and rebooting in safe mode using this command:

C:windowssystem32bcdedit.exe  /set safeboot{current} network

Observed kill chain

Investigating one incident involving this ransomware, we saw that the threat actor behind it used a public-facing Citrix server as a point of entry. We believe that the threat actor used a valid account to access this server and later move inside the victim’s network. This was expected since the actor configured the ransomware with valid and privileged accounts.

The threat actor used RDP on Active Directory using leaked accounts. The actor dropped scanning tools, Nmap.exe and Nping.exe, for scanning the network. Next, the scheduled task was pushed by the group policy domain machine. 

Figure 3. The scheduled task pushed by the group policy

Figure 3. The scheduled task pushed by the group policy

Figure 4. The scheduled task created on the machine

Figure 4. The scheduled task created on the machine

We observed that there was only a short period between accessing the Citrix server and the ransomware infection: less than two days. The threat actor seemed to have scanned the network on the first day, and then a Group Policy Object (GPO) was created and the ransomware was deployed on the machines.

Figure 5. The Agenda ransomware’s kill chain

Figure 5. The Agenda ransomware’s kill chain

Analysis and notable features

The Agenda ransomware is a 64-bit Windows PE file written in Go. Go programs are cross-platform and completely standalone, meaning they will execute properly even without a Go interpreter installed on a system. This is possible since Go statically compiles necessary libraries (packages).

Upon execution, this ransomware accepts various command-line arguments that define the malware flow and functionality, as listed in the table below.

Argument  Description
-alter {int}  Defines the port number for this child process
-encryption {value}  Allows for redefining the embed encryptor config to the customized choice 
-ips {IP Address}  Allows for providing IP addresses 
-min-size {value}  Defines the minimum file size to encrypt (e.g., 1 KB, 1 MB, 1 GB, 666 KB) 
-no-proc  Defines the processes that will not be killed 
-no-services  Defines the services that will not be killed 
-password {string}   Defines the password to enter landing
-path {directory}  Defines the path that parses directories; if this flag is used and left empty, all directories will be scanned
-safe  Boots in safe mode 
-stat  Makes malware print its configuration (processes and services to be killed, encryption, etc.)  

Table 1. Command-line arguments accepted by Agenda

Agenda builds a runtime configuration to define its behavior, including its public RSA key, encryption conditions, list of processes and services to terminate, encryption extension, login credentials, and ransom note. 

Runtime configuration component  Description
public_rsa_pem  RSA public key
directory_black_list  Directories excluded from encryption
file_black_list  File names excluded from encryption
file_pattern_black_list  File name extensions excluded from encryption
process_black_list  Processes to terminate
win_services_black_list  Services to terminate
company_id  Encryption extension
accounts  Login credentials
note  Ransom note

Table 2. The runtime configuration components of Agenda

As part of its initial routine, Agenda determines if the machine is running in safe mode by checking the string safeboot in the data of this registry value: 

HKEY_LOCAL_MACHINESystemCurrentControlSetControl SystemStartOptions 

If it detects that the machine is running in safe mode, it terminates execution. 

The ransomware then removes shadow volume copies via execution of vssadmin.exe delete shadows /all /quiet, as well as terminating specific processes and services indicated in its runtime configuration, some of which are antivirus-related processes and services. 

Processes  Services
a2service.exe  acronis vss provider 
a2start.exe  acronis vss provider 
aawservice.exe  acronisagent 
ashserv.exe  acronisagent 
avengine.exe  acronisagentd
avkwctl.exe  avbackup 
blackd.exe  avbackupd
cfp.exe  ccevtmgr
fsav32.exe   macmnsvc
fsdfwd.exe  macmnsvcd 
fsguiexe.exe   masvc
kpf4gui.exe  masvcd
mcods.exe  mcshield
mcpalmcfg.exe  sentinelagent 
mcproxy.exe  sentinelagentd
mcregwiz.exe  sentinelhelperservice 
mcsacore.exe  sentinelhelperserviced 
mcshield.exe  sentinelstaticengine 
mpfagent.exe  sentinelstaticengined
mpfservice.exe  shmonitor 
msmpeng.exe  shmonitord
msscli.exe  smcinst
nisum.exe  tmccsf 
ntrtscan.exe  tmccsfd
pccpfw.exe  tmlisten 
tmntsrv.exe  tmlistend

Table 3. Some of the antivirus-related processes and services terminated by Agenda

After its initial routine, Agenda proceeds to create the runonce autostart entry *aster pointing to enc.exe, which is a dropped copy of itself under the Public folder:  

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce*aster = %Public%enc.exe

Changing user passwords and rebooting in safe mode

Agenda also deploys a detection evasion technique during encryption: It changes the default user’s password and enables automatic login with the new login credentials. This feature can be enabled using the -safe command-line argument. Similar to REvil, Agenda reboots the victim’s machine in safe mode and then proceeds with the encryption routine upon reboot. 

To begin, Agenda lists all local users found on the device and then checks which one is set as the default user.  

Figure 6. The function used by Agenda to determine the default user from local users

Figure 6. The function used by Agenda to determine the default user from local users

Upon finding the default user, Agenda changes the user’s password to Y25VsIgRDr

Figure 7. The function used by Agenda to change the default user’s password

Figure 7. The function used by Agenda to change the default user’s password

It then proceeds to configure the Winlogon registry entry, setting the data to each of these values: 

SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon 

AutoAdminLogon value =1

DefaultUserName = {username}

DefaultDomainName ={domainname}

DefaultPassword={ Y25VsIgRDr}

Figure 8. The Winlogon registry entry configured by Agenda

Figure 8. The Winlogon registry entry configured by Agenda

Upon changing the default user’s password and enabling automatic login, Agenda reboots the victim’s machine in safe mode via this command: 

C:windowssystem32bcdedit.exe  /set safeboot{current} network

The ransomware also reboots the machine in normal mode after the encryption using this command:

C:WindowsSystem32bcdedit.exe /set safeboot network bcdedit /deletevalue {default} safeboot

Impersonation of legitimate accounts

Another feature of Agenda is its ability to abuse local account credentials to execute the ransomware binary, using the embedded login credentials in its runtime configuration.

Figure 9. Agenda’s embedded local account credentials

Figure 9. Agenda’s embedded local account credentials

Agenda begins the user impersonation by parsing the accounts in the runtime configuration and then separating them into username, domain, and password. It will use this data to attempt logging a user on to the local computer via the API LogonUserW.

Figure 10. The function used by Agenda to parse the accounts field in the runtime configuration

Figure 10. The function used by Agenda to parse the accounts field in the runtime configuration

Figure 11. Agenda performing logon using a parsed account

Figure 11. Agenda performing logon using a parsed account

Agenda then proceeds to generate a random port number, which it will use in the execution of the ransomware binary through the API CreateProcessAsUserW in conjunction with the command-line argument -alter.

Figure 12. Agenda creating a new process with the -alter argument

Figure 12. Agenda creating a new process with the -alter argument

Allowing network sharing

Agenda is also associated with the compromise of an entire network and its shared drivers. It is not only about the encryption of data on one workstation. 

The ransomware adds a registry and then restarts the LanmanWorkstation service. After adding a new registry, it uses key [EnableLinkedConnections = 1] in the Enabling Mapped Drives drivers and then in restarting the LanmanWorkstation service. This will allow Agenda to list network drives in elevated programs like cmd.

Figure 13. Agenda changing the registry value of EnableLinkedConnection to 1

Figure 13. Agenda changing the registry value of EnableLinkedConnection to 1

Figure 14. Agenda restarting the LanmanWorkstation service

Figure 14. Agenda restarting the LanmanWorkstation service

Encryption algorithm

Agenda uses AES-256 for encrypting files and RSA-2048 for encrypting the generated key. To do so, it first generates the key and initialization vector (IV) that it will use for encryption by using the function generateKye, and then uses the API rand_read()

Figure 15. The function used by Agenda to generate a random key

Figure 15. The function used by Agenda to generate a random key

With this randomly generated key, Agenda proceeds to use AES-256 to encrypt target files. Lastly, it encrypts the key using RSA-2048 through the embedded public key from the runtime configuration.  

After successful encryption, Agenda renames the encrypted files by appending the company ID indicated in the runtime configuration. It then drops the ransom note {company_id}-RECOVER-README.txt in each encrypted directory.  

Figure 16. Agenda’s ransom note

Figure 16. Agenda’s ransom note

Process injection

Agenda drops pwndll.dll, detected as Trojan.Win64.AGENDA.SVT, in the Public folder. The file pwndll.dll is a patched DLL from the legitimate DLL WICloader.dll written in C, not Go. Agenda injects this DLL into svchost.exe to allow continuous execution of the ransomware binary.

Figure 17. Agenda injecting pwndll.dll into svchost.exe

Figure 17. Agenda injecting pwndll.dll into svchost.exe

Figure 18. Agenda using pwndll.dll to execute the ransomware sample

Figure 18. Agenda using pwndll.dll to execute the ransomware sample

Conclusion and solutions

Ransomware continues to evolve, developing more sophisticated methods and techniques to trap organizations. Our investigation shows how the new targeted ransomware Agenda is written in the Go language, making it harder to detect and analyze. 

This ransomware has techniques for evading detection by taking advantage of the “safe mode” feature of a device to proceed with its encryption routine unnoticed. The ransomware also takes advantage of local accounts to log on as spoofed users and execute the ransomware binary, further encrypting other machines if the logon attempt is successful. It also terminates numerous processes and services, and ensures persistence by injecting a DLL into svchost.exe. 

End users and organizations alike can mitigate the risk of infection from ransomware like Agenda by following these security best practices:  

  • Enable multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a network. 
  • Adhere to the 3-2-1 rule when backing up important files. This involves creating three backup copies on two different file formats, with one of the copies stored in a separate location.  
  • Patch and update systems regularly. It’s important to keep operating systems and applications up to date, preventing malicious actors from exploiting any software vulnerabilities. 

Organizations can also benefit from security solutions that offer multilayered detection and response, such as Trend Micro Vision One™, which has multilayered protection and behavior detection capabilities that help block suspicious behavior and tools before ransomware can do any damage. Trend Micro Apex One™ also provides next-level automated threat detection and response to protect endpoints against advanced issues, like fileless threats and ransomware. 

Additional insights provided by Eleazar Valles and Sherif Magdy.

For more information about the indicators of compromise, download this document. 

MITRE ATT&CK tactics and techniques

Agenda Ransomware Mitre Attack

Source: https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html