Threat Research

New Golang Ransomware Agenda Customizes Attacks

Securonix

A Go-written ransomware named Agenda targets healthcare and education organizations in Asia and Africa, customizing payloads per victim with unique IDs and leaked credentials. It can reboot in safe mode, terminate server-related processes, and uses affiliate-style payload customization to encrypt data, leveraging Go’s statically linked libraries to hinder analysis. #Agenda #Qilin

Keypoints

  • Agenda is a 64-bit Windows PE file written in Go and targeted at healthcare and education enterprises in Asia and Africa, with samples customized per victim (including company IDs and leaked accounts).
  • Targeted countries include Indonesia, Saudi Arabia, South Africa, and Thailand.
  • The group behind Agenda (linked to “Qilin”) offers affiliates options to customize binary payloads (e.g., company_id, RSA key) and ransom demands vary from US$50,000 to US$800,000.
  • Observed kill chain starts with a public-facing Citrix server entry using valid/leaked accounts, followed by RDP access, network scanning with Nmap/Nping, and eventual ransomware deployment via Group Policy; infection occurred in less than two days after access.
  • Agenda uses safe-mode boot, terminates numerous processes and services (including antivirus-related ones), creates RunOnce entries, and changes default user passwords to enable automatic login for encryption.
  • Encryption uses AES-256 (files) and RSA-2048 (encryption of the AES key); encrypted files are renamed with the company_id and a ransom note is dropped alongside.

MITRE Techniques

  • [T1133] External Remote Services – ‘The threat actor used a public-facing Citrix server as a point of entry. We believe that the threat actor used a valid account to access this server and later move inside the victim’s network.’
  • [T1021.001] Remote Services – ‘The threat actor used RDP on Active Directory using leaked accounts.’
  • [T1046] Network Service Scanning – ‘dropped scanning tools, Nmap.exe and Nping.exe, for scanning the network.’
  • [T1053] Scheduled Task – ‘the scheduled task was pushed by the group policy domain machine.’
  • [T1547.001] Boot or Logon Autostart Execution: Run Keys/Startup Folder – ‘After its initial routine, Agenda proceeds to create the runonce autostart entry *aster pointing to enc.exe, which is a dropped copy of itself under the Public folder: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce*aster = %Public%enc.exe’
  • [T1112] Modify Registry – ‘The ransomware then removes shadow volume copies via execution of vssadmin.exe delete shadows /all /quiet’ and ‘changing the default user’s password and enables automatic login with the new login credentials’ (Winlogon registry edits) and related values (AutoAdminLogon, DefaultUserName, DefaultDomainName, DefaultPassword).
  • [T1490] Inhibit System Recovery – ‘removes shadow volume copies via execution of vssadmin.exe delete shadows /all /quiet’
  • [T1098] Account Manipulation – ‘changes the default user’s password and enables automatic login with the new login credentials.’
  • [T1055.001] Process Injection – ‘Agenda injects pwndll.dll into svchost.exe to allow continuous execution of the ransomware binary.’
  • [T1055] Process Injection – ‘pwndll.dll is a patched DLL from the legitimate DLL WICloader.dll … Agenda injects this DLL into svchost.exe’
  • [T1078] Valid Accounts – ‘used valid and privileged accounts’ to access systems during the kill chain
  • [T1486] Data Encrypted for Impact – ‘uses AES-256 for encrypting files and RSA-2048 for encrypting the generated key’
  • [T1036] Masquerading/Obfuscated? – Not explicitly, but Go-based, customized payloads and stealthy behaviors imply obfuscation; (not explicitly quoted)

Indicators of Compromise

  • [File] enc.exe – dropped copy of itself under the Public folder used for encryption and persistence (RunOnce entry references enc.exe)
  • [File] pwndll.dll – a patched DLL used for process injection into svchost.exe (Trojan.Win64.AGENDA.SVT)
  • [File] Nmap.exe, Nping.exe – network scanning tools observed during intrusion
  • [File] {company_id}-RECOVER-README.txt – ransom note dropped in encrypted directories
  • [Registry] HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce*aster = %Public%enc.exe – RunOnce autostart entry for enc.exe
  • [Registry] HKEY_LOCAL_MACHINESystemCurrentControlSetControl SystemStartOptions – safeboot value checked by Agenda
  • [Registry] AutoAdminLogon = 1; DefaultUserName, DefaultDomainName, DefaultPassword – Winlogon registry entries used to enable automatic login
  • [Credential] DefaultPassword={ Y25VsIgRDr } – embedded login credential used for automatic login
  • [File] ransom note and company_id-based encryption extension – used to mark encrypted files

Read more: https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint