Agenda (Qilin) has introduced a Rust variant of its ransomware, expanding cross‑platform reach beyond the Go version to target manufacturing and IT sectors. The Rust edition shows continued emphasis on targeted extortion, with intermittent encryption, hard-coded configs, and evasive techniques to complicate analysis, while maintaining its leak-site pressure against victims. #Agenda #Qilin
Keypoints
- RaaS groups including BlackCat, Hive, and RansomExx have been developing ransomware in Rust, with Agenda (Qilin) adopting Rust as well.
- Agenda’s Rust variant targets multiple industries, expanding beyond the Go version that previously focused on healthcare and education.
- A sample of the Rust variant is detected as Ransom.Win32.AGENDA.THIAFBB, with Go-era campaigns previously tied to Thailand and Indonesia.
- The Rust variant uses intermittent encryption through added flags (e.g., fast, skip, n, p) to speed encryption and evade detection.
- The ransomware offers a low‑level CLI with three arguments (-password, -ips, -paths) and contains hard-coded configuration data.
- Mitigation includes disabling UAC and terminating certain services (e.g., AppInfo) to ease privilege elevation and persistence.
- The threat actor publishes victim data on a leak site, and the Rust variant allocates space for per‑victim accounts to aid privilege escalation.
MITRE Techniques
- [T1489] Service Stop – The ransomware terminates processes and services during its malicious routine. ‘the ransomware sample runs its malicious routine starting with the termination of various processes and services.’
- [T1027] Obfuscated/Compressed Files and Information – Intermittent encryption used to speed up encryption and evade detection. ‘These flags are used for intermittent encryption. This tactic enables the ransomware to encrypt the victim’s files faster by partially encrypting the files.’
- [T1562.001] Impair Defenses: Disable or Modify Security Tools – It disables UAC to hinder protections. ‘It disables User Account Control (UAC), a Windows feature that helps prevent malware from executing with administrative rights.’
- [T1548.002] Privilege Escalation: Bypass User Account Control – By disabling UAC, the malware aims to execute with elevated rights. ‘It disables User Account Control (UAC), a Windows feature that helps prevent malware from executing with administrative rights.’
- [T1083] File and Directory Discovery – The Rust variant uses -paths to define which directories to scan; if left empty, all directories are scanned. ‘Defines the path that parses directories; if this flag is used and left empty, all directories will be scanned.’
- [T1059.003] Command-Line Interface: Windows Command Shell – The Rust variant accepts specific command-line arguments including -password, indicating a CLI-driven execution flow. ‘Unlike Agenda’s Golang variant, which accepts 10 arguments, its Rust variant only accepts three arguments:’
- [T1078] Valid Accounts – The Rust variant has allocated space for adding accounts in its configuration to be used for privilege escalation. ‘The Rust variants have an allocated space for adding accounts in their configuration to be used mostly for privilege escalation.’
Indicators of Compromise
- [SHA256] Detection – e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527, 55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1, and 1 more item