Trend Research reported that the Agenda (Qilin) ransomware group deployed a Linux-based ransomware binary on Windows hosts by abusing legitimate remote management and file-transfer tools (WinSCP and Splashtop), combined with BYOVD techniques and targeted theft of Veeam backup credentials. The campaign used fake Cloudflare R2-hosted CAPTCHA pages, SOCKS proxy backdoors, and driver-based anti-AV tools to evade detection and impact hybrid Windows/Linux environments. #Agenda #Splashtop
Keypoints
- Agenda (aka Qilin) deployed a Linux ransomware binary on Windows systems using WinSCP for transfer and Splashtop Remote (SRManager.exe) for execution, enabling cross-platform impacts.
- Initial access involved fake CAPTCHA pages hosted on Cloudflare R2 that delivered obfuscated JavaScript and secondary payloads, likely resulting in credential theft and MFA bypass.
- Attackers targeted Veeam backup infrastructure, extracting stored credentials from Veeam databases via base64-encoded PowerShell scripts to disable recovery options.
- Defense evasion employed BYOVD techniques: loading vulnerable/legitimate drivers (eskle.sys, rwdrv.sys, hlpdrv.sys, ThrottleStop.sys relations) and DLL sideloading (msimg32.dll) to terminate security processes and persist.
- Command-and-control used distributed COROXY SOCKS proxy instances (socks64.dll) placed in trusted application directories (Veeam, VMware, Adobe) to obfuscate traffic and ensure redundancy.
- Lateral movement used staged PuTTY SSH clients (renamed executables) to reach Linux hosts, demonstrating hybrid environment targeting.
- The Linux ransomware binary contained extensive command-line options, OS/hypervisor detection (ESXi, Nutanix AHV), and configuration to focus on virtualization paths while excluding critical system directories.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Fake CAPTCHA pages hosted on Cloudflare R2 delivered obfuscated JavaScript that initiated payload downloads (“…fake Google CAPTCHA verification prompt designed to trick users into executing malicious commands…”).
- [T1204.002] User Execution: Malicious File – Users were tricked into executing commands from the fake CAPTCHA pages which led to the delivery and execution of follow-on payloads (“…presented convincing replicas of legitimate Google CAPTCHA verification prompts”).
- [T1110] Brute Force/Credential Access (credential harvesting) – Information stealers harvested authentication tokens, browser cookies, and stored credentials used for access and MFA bypass (“…harvested authentication tokens, browser cookies, and stored credentials…”).
- [T1059.001] Command and Scripting Interpreter: PowerShell – Attackers executed base64-encoded PowerShell scripts to extract and decrypt Veeam backup credentials (“powershell.exe -e [base64-encoded payload]” and “SELECT [user_name], [password] FROM [VeeamBackup].[dbo].[Credentials]”).
- [T1136.001] Create Account: Local Account – A persistent backdoor administrative account named “Supportt” was created and added to Administrators (“net user Supportt ***** /add” and “net localgroup Administrators Supportt /add”).
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Legitimate RMM agents (ATERA, ScreenConnect, Splashtop) were installed/used to maintain remote execution and persistence (“…leveraged to deploy AnyDesk version 9.0.5… Splashtop for the final ransomware execution”).
- [T1574.001] DLL Search Order Hijacking / DLL Side-Loading – msimg32.dll was used as a dropper via DLL sideloading alongside legitimate binaries (e.g., FoxitPDFReader.exe) to drop kernel drivers (“…msimg32.dll employs a DLL sideloading technique… placed alongside compatible binaries… which imports msimg32.dll”).
- [T1218] Signed Binary Proxy Execution: rundll32.exe – The SOCKS proxy DLL was loaded into memory using rundll32.exe to run socks64.dll via rundll (“rundll32.exe socks64.dll,rundll”).
- [T1068] Exploitation for Privilege Escalation / BYOVD – Attackers used vulnerable/legitimate drivers (eskle.sys, rwdrv.sys, hlpdrv.sys, fnarw.sys suspected) to disable security products and gain kernel-level capabilities (“…eskle.sys driver was utilized to disable security solutions… and drop rwdrv.sys and hlpdrv.sys”).
- [T1021.004] Remote Services: SSH – Renamed PuTTY executables were deployed to establish SSH connections and move to Linux hosts (“PuTTY SSH client interface, deployed under various filenames (e.g., test.exe, 1.exe…)”).
- [T1041] Exfiltration Over C2 Channel (SOCKS proxy) – COROXY SOCKS proxies placed in trusted application directories provided encrypted tunnels for C2 and exfiltration (“…multiple SOCKS proxy instances… placed across various system directories… each proxy instance functioned as an independent tunnel for encrypted communications”).
Indicators of Compromise
- [Domain/URL] Fake CAPTCHA hosting – pub-959ff112c2eb41ce8f7b24e38c9b4f94.r2.dev/Google-Captcha-Continue-Latest-J-KL-3.html, pub-2149a070e76f4ccabd67228f754768dc.r2.dev/I-Google-Captcha-Continue-Latest-27-L-1.html
- [IP Address / C2] Secondary payload hosts – 45.221.64.245/mot/, 104.164.55.7/231/means.d
- [File Path / Executable] RMM and transfer tooling observed – C:Program Files (x86)SplashtopSplashtop RemoteServerSRManager.exe, C:UsersAppDataLocalProgramsWinSCPWinSCP.exe
- [File/Driver Names] Anti-AV and malicious drivers – eskle.sys (C:UsersDownloads2stXeskle.sys), rwdrv.sys and hlpdrv.sys dropped by msimg32.dll in %TEMP% (and other drivers like ThrottleStop.sys relation)
- [File Names] SOCKS proxy/backdoor placement – C:ProgramDataVeeamsocks64.dll, C:ProgramDataVMwarelogssocks64.dll (and C:ProgramDataAdobesocks64.dll)
- [File Names] Lateral movement tools – renamed PuTTY executables: C:UsersDesktoptest.exe, 1.exe, 2.exe, 3.exe