Keypoints
- Agenda’s updated Rust variant supports many command-line options including –spread, –spread-vcenter, –spread-process, and –kill-cluster to control propagation and VM-targeting behaviors.
- When run with –spread-vcenter, the binary extracts and runs a custom PowerShell script in-memory to target vCenter and ESXi, prompting the operator to enter vCenter/ESXi credentials and the ESXi binary path.
- The embedded script verifies required modules, connects to specified ESXi hosts, changes ESXi root passwords (locking out victims), enables SSH, uploads an ESXi binary, and executes it to compromise hosts.
- Agenda also spreads via PsExec by dropping a PsExec executable to %User Temp%{random}.exe and running it to deploy the ransomware remotely using a crafted cmd invocation.
- For defense evasion, Agenda leverages Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques—observed drivers/tools include YDark and Spyboy’s Terminator—to disable AV/EDR; it can also run commands like Stop-Cluster -Force to terminate VM clusters.
- The ransomware can print ransom notes to connected printers using PowerShell commands and supports many execution-control flags (e.g., –no-sandbox, –impersonate, –escalated) to adjust behavior during deployment.
MITRE Techniques
- [T1059.003] Command and Scripting Interpreter (PowerShell) – Agenda embeds and executes a custom PowerShell script in-memory for propagation (‘custom PowerShell script embedded in the binary’ / ‘executed in-memory as a memory stream’)
- [T1021.004] Remote Services: SSH – The script enables SSH on ESXi hosts and creates SSH sessions to upload and execute the ESXi binary (‘SSH would then be enabled for file transfer.’ / ‘Creating an SSH session.’)
- [T1570] Lateral Tool Transfer – Agenda drops and uses PsExec to propagate to remote hosts (‘PsExec is dropped in the following path: %User Temp%{random}.exe’ and executed with a command that includes –spread)
- [T1566.001] Phishing: Spearphishing Attachment – Reported as an observed initial access vector for this threat group (‘The threat actors use phishing emails with malicious attachments to gain initial access to the target system.’)
- [T1211] Exploitation for Defense Evasion – The group leverages vulnerable signed drivers and kernel tools (BYOVD) to disable security tools (‘leveraging different vulnerable drivers to disable different security tools.’)
- [T1480] Execution Guardrails – Agenda can stop VM clusters to influence execution environment (‘PowerShell -Command “Stop-Cluster -Force”’)
- [T1486] Data Encrypted for Impact – The ransomware encrypts data and includes additional impact actions such as printing ransom notes to connected printers (‘Agenda also added a feature to print ransom notes on connected printers.’)
Indicators of Compromise
- [File paths / filenames] PsExec drop and payload locations – %User Temp%{random}.exe (PsExec drop), C:UsersPublicenc.exe, C:UsersPublicpwndll.dll (mentioned in Vision One query)
- [Vulnerable drivers / tools] BYOVD artifacts observed – YDark, Spyboy Terminator (used to disable AV/EDR)
- [Commands / scripts] PowerShell in-memory execution and commands – embedded PowerShell script, commands like ‘Stop-Cluster -Force’ and PowerShell printing commands used to print ransom notes
- [IOC list URL] Hosted indicator list – https://documents.trendmicro.com/assets/txt/ioc-agenda-ransomwareJwTLz0J.txt
Agenda’s Rust build accepts numerous propagation and control flags (examples: –spread, –spread-vcenter, –spread-process, –kill-cluster, –impersonate, –no-sandbox). Operators can provide target IPs, paths, and a password via command-line options; when instructed to target vCenter/ESXi (–spread-vcenter), the binary extracts an embedded PowerShell script and executes it directly in the PowerShell process memory (fileless execution).
The in-memory script prompts for vCenter/ESXi credentials and the ESXi binary path, checks for required PowerShell modules, connects to specified ESXi hosts, changes the ESXi root password to the attacker-specified value (locking out administrators), enables SSH for file transfer, creates SSH sessions to upload the provided ESXi binary, and then executes the uploaded payload on the host. As an alternative lateral method, Agenda drops a PsExec executable to %User Temp%{random}.exe and runs it via a cmd invocation that includes the malware path and propagation flags to execute the ransomware on remote systems.
For defense evasion and increased impact, operators use BYOVD techniques—observed tools include YDark and Spyboy’s Terminator—to disable security products at kernel level, execute cluster-teardown commands like ‘Stop-Cluster -Force’, and perform secondary actions such as printing ransom notes to connected printers using PowerShell (Get-Printer / Out-Printer). These behaviors, combined with interactive credential entry and in-memory script execution, enable direct compromise of VMware management and ESXi infrastructure.