The Agenda ransomware group uses a new highly obfuscated .NET loader named NETXLOADER alongside SmokeLoader malware to stealthily deploy ransomware and steal data. These threats target multiple sectors globally with advanced evasion and injection techniques. (Affected: healthcare, technology, financial services, telecommunications)
Keypoints :
- Agenda ransomware group evolved to use Rust language with advanced evasion and remote execution capabilities.
- NETXLOADER is a new .NET-based loader, heavily obfuscated with .NET Reactor 6, delivering Agenda ransomware and SmokeLoader.
- NETXLOADER uses dynamic API resolution, AES decryption, Gzip decompression, and in-memory payload execution to evade detection.
- Malicious payloads are hosted on dynamically generated, low-reputation domains mimicking benign blog names.
- SmokeLoader performs sandbox, debugger, and virtualization evasion techniques, including opaque predicates and anti-debugging checks.
- SmokeLoader injects payloads into explorer.exe via shared memory sections and creates threads to execute malicious code.
- SmokeLoader terminates processes and windows associated with common analysis and debugging tools to hinder investigation.
- C2 communication uses encrypted RC4 POST requests over HTTP, with fallback tactics to avoid blocking.
- NETXLOADER renames dropped executables into generic filenames (e.g., rh111.exe) to avoid suspicion and detection.
- Organizations are advised to implement layered security, access controls, regular updates, backups, user training, and monitoring to mitigate threats.
MITRE Techniques :
- Obfuscated Files or Information (T1027) – Utilizes control flow obfuscation and opaque predicates to evade static analysis.
- Obfuscated Files or Information: Dynamic API Resolution (T1027.007) – Resolves Windows API calls dynamically by hashing export names.
- Execution Guardrails (T1480) – Checks OS version and system locale (blocks Russian language) to avoid sandbox environments.
- Debugger Evasion (T1622) – Checks BeingDebugged flag and process debug port to avoid analysis.
- Access Token Manipulation: Create Process with Token (T1134.002) – Relaunches with appropriate integrity level using Wmic.
- Virtualization/Sandbox Evasion: System Checks (T1622) – Detects sandbox DLLs, virtualization artifacts, registry keys, and processes.
- Process Injection (T1055) – Injects payload into explorer.exe using shared memory sections and remote thread creation.
- Process Discovery (T1057) – Monitors system processes and terminates known forensic/debugging tools.
- Application Window Discovery (T1057) – Enumerates and closes windows associated with analysis applications.
- Application Layer Protocol: Web Protocol (T1071.001) – Uses HTTP POST for C2 communication with encrypted payloads.
- Encrypted Channel: Symmetric Cryptography (T1573.001) – Uses RC4 encryption for C2 payload transport.
Indicator of Compromise :
- The article includes indicators such as dynamically generated malicious domain names (e.g., bloglake7.cfd, mxblog77.cfd) used for payload hosting.
- File name patterns like rh111.exe and ldx111.exe are used post-deployment to disguise payload identities.
- Enumerated Windows API delegates and hashes of terminated process names provide behavioral IOCs.
- Encrypted C2 URLs and HTTP POST request structures indicate communication patterns with command and control servers.
- Examples: C2 domain mxblog77[.]cfd used to download Agenda ransomware; SmokeLoader process termination targets include Autoruns.exe and Wireshark.exe identified by hashed names.
Views: 29