New Golang Ransomware Agenda Customizes Attacks
Analysis and notable features
The Agenda ransomware is a 64-bit Windows PE file written in Go. Go programs are cross-platform and completely standalone, meaning they will execute properly even without a Go interpreter installed on a system. This is possible since Go statically compiles necessary libraries (packages).
Upon execution, this ransomware accepts various command-line arguments that define the malware flow and functionality, as listed in the table below.
Argument | Description |
-alter {int} | Defines the port number for this child process |
-encryption {value} | Allows for redefining the embed encryptor config to the customized choice |
-ips {IP Address} | Allows for providing IP addresses |
-min-size {value} | Defines the minimum file size to encrypt (e.g., 1 KB, 1 MB, 1 GB, 666 KB) |
-no-proc | Defines the processes that will not be killed |
-no-services | Defines the services that will not be killed |
-password {string} | Defines the password to enter landing |
-path {directory} | Defines the path that parses directories; if this flag is used and left empty, all directories will be scanned |
-safe | Boots in safe mode |
-stat | Makes malware print its configuration (processes and services to be killed, encryption, etc.) |
Table 1. Command-line arguments accepted by Agenda
Agenda builds a runtime configuration to define its behavior, including its public RSA key, encryption conditions, list of processes and services to terminate, encryption extension, login credentials, and ransom note.
Runtime configuration component | Description |
public_rsa_pem | RSA public key |
directory_black_list | Directories excluded from encryption |
file_black_list | File names excluded from encryption |
file_pattern_black_list | File name extensions excluded from encryption |
process_black_list | Processes to terminate |
win_services_black_list | Services to terminate |
company_id | Encryption extension |
accounts | Login credentials |
note | Ransom note |
Table 2. The runtime configuration components of Agenda
As part of its initial routine, Agenda determines if the machine is running in safe mode by checking the string safeboot in the data of this registry value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control SystemStartOptions
If it detects that the machine is running in safe mode, it terminates execution.
The ransomware then removes shadow volume copies via execution of vssadmin.exe delete shadows /all /quiet, as well as terminating specific processes and services indicated in its runtime configuration, some of which are antivirus-related processes and services.
Processes | Services |
a2service.exe | acronis vss provider |
a2start.exe | acronis vss provider |
aawservice.exe | acronisagent |
ashserv.exe | acronisagent |
avengine.exe | acronisagentd |
avkwctl.exe | avbackup |
blackd.exe | avbackupd |
cfp.exe | ccevtmgr |
fsav32.exe | macmnsvc |
fsdfwd.exe | macmnsvcd |
fsguiexe.exe | masvc |
kpf4gui.exe | masvcd |
mcods.exe | mcshield |
mcpalmcfg.exe | sentinelagent |
mcproxy.exe | sentinelagentd |
mcregwiz.exe | sentinelhelperservice |
mcsacore.exe | sentinelhelperserviced |
mcshield.exe | sentinelstaticengine |
mpfagent.exe | sentinelstaticengined |
mpfservice.exe | shmonitor |
msmpeng.exe | shmonitord |
msscli.exe | smcinst |
nisum.exe | tmccsf |
ntrtscan.exe | tmccsfd |
pccpfw.exe | tmlisten |
tmntsrv.exe | tmlistend |
Table 3. Some of the antivirus-related processes and services terminated by Agenda
After its initial routine, Agenda proceeds to create the runonce autostart entry *aster pointing to enc.exe, which is a dropped copy of itself under the Public folder:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce*aster = %Public%\enc.exe
Changing user passwords and rebooting in safe mode
Agenda also deploys a detection evasion technique during encryption: It changes the default user’s password and enables automatic login with the new login credentials. This feature can be enabled using the -safe command-line argument. Similar to REvil, Agenda reboots the victim’s machine in safe mode and then proceeds with the encryption routine upon reboot.
To begin, Agenda lists all local users found on the device and then checks which one is set as the default user.
Read More HERE