Agenda is a brand-new targeted malware that Trend Micro researchers have just discovered. Using the Go programming language, Agenda was produced. The ransomware attack was directed against one of the company’s customers. The results of the incident investigation revealed that a public-facing Citrix server was used by the threat actor to access the victim’s network. They most likely made lateral moves inside the victim’s network using a genuine account to gain access to this server.
Attacks utilizing the new ransomware family were directed at businesses in Asia and Africa. The word “Agenda” can be seen in ransom notes and posts on the dark web by a person going by the name of “Qilin,” who is likely associated with the people who distribute ransomware.
Computers infected with the Agenda ransomware may restart in safe mode, and it can block a variety of server-specific services and operations. The researchers found that the samples they looked at were customized for each victim and included unique firm IDs as well as stolen account information.
The samples were 64-bit Windows PE (Portable Executable) files that were aimed at medical and educational facilities in Indonesia, Saudi Arabia, South Africa, and Thailand.
Agenda removes shadow volume copies and creates a runtime configuration to specify its behavior when vssadmin.exe clean shadows /all /quiet is launched. Additionally, it terminates antivirus software and service-related activities and adds an auto-start entry directing to a clone of itself.
Experts found that Agenda modifies the default user’s password in order to prevent detection and stops automatic login using the old login credentials. Agenda uses a technique used by REvil and other ransomware groups to reboot the victim’s PC in safe mode before encrypting files.
The threat actor accessed Active Directory through RDP while utilizing compromised identities, then used Nmap.exe and Nping.exe to scan the network. The planned job was then pushed by the group policy domain computer.
