TrendMicro

Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques

Analysis of the embedded obfuscated JavaScript within these  fake CAPTCHA pages revealed a multistage payload delivery system that initiated downloads from secondary command-and-control servers:

  • 45[.]221[.]64[.]245/mot/
  • 104[.]164[.]55[.]7/231/means.d

We assess that the threat actors likely initiated their attack campaign through a sophisticated social engineering scheme involving these  fake CAPTCHA pages. The pages appear to have delivered information stealers to the compromised endpoints, which subsequently harvested authentication tokens, browser cookies, and stored credentials from the infected systems. The presence of valid credentials used throughout the attack chain strongly suggests that these stolen credentials provided the Agenda threat actors with the valid accounts necessary for their initial access into the environment. This assessment is further supported by the attackers’ ability to bypass multifactor authentication (MFA) and move laterally using legitimate user sessions, indicating they possessed harvested credentials rather than relying on traditional exploitation techniques.

Privilege Escalation

The attackers deployed a SOCKS proxy DLL to facilitate remote access and command execution. This proxy was loaded directly into memory using Windows’ legitimate rundll32.exe process, making detection more difficult.

 |── C:\Windows\System32\cmd.exe

└── C:\Windows\System32\rundll32.exe

└── rundll32.exe socks64.dll,rundll

└── C:\ProgramData\Veeam\socks64.dll

A backdoor administrative account named “Supportt” was created to ensure persistent elevated access. This account name was likely chosen to blend in with legitimate support accounts commonly found in enterprise environments.

  • net user Supportt ***** /add
  • net localgroup Administrators Supportt /add

The legitimate administrator account password was also reset to maintain control and prevent legitimate administrators from regaining access.

  • net user Administrator *****

Discovery

Extensive reconnaissance was conducted to map the network infrastructure. The attackers abused ScreenConnect’s legitimate remote management capabilities to execute discovery commands through temporary command scripts, systematically enumerating domain trusts and identifying privileged accounts while appearing as normal administrative activity:

  • nltest /domain_trusts
  • net group “domain admins” /domain

Network scanning tools were deployed across multiple locations to discover additional systems, services, and potential lateral movement targets. The NetScan utility was executed from both the Desktop and Documents folders to perform comprehensive network enumeration.

  • C:\Users\Administrator.<REDACTED>\Desktop\netscan.exe
  • C:\Users\Administrator.<REDACTED>\Documents\netscan.exe

Remote management tools were strategically installed through legitimate RMM platforms to blend with normal IT operations. ATERA Networks’ agent was leveraged to deploy AnyDesk version 9.0.5, while ScreenConnect provided an additional command execution vector. This dual-RMM approach provided the attackers with redundant remote access capabilities that appeared legitimate to security monitoring systems, allowing them to maintain persistent access even if one tool was discovered and removed.

Credential Access

The attackers specifically targeted Veeam backup infrastructure to harvest credentials, recognizing that backup systems often store credentials for accessing multiple systems across the enterprise. PowerShell scripts were executed with base64-encoded payloads to extract and decrypt stored credentials from Veeam databases, via powershell.exe -e [base64-encoded payload].

When decoded, these scripts revealed systematic targeting of multiple Veeam backup databases, each containing credentials for different segments of the infrastructure:

SQL Database Queries:

  • SELECT [user_name], [password] FROM [VeeamBackup].[dbo].[Credentials]
  • Targeted tables: Credentials, BackupRepositories, WinServers

Compromised Account Types:

  • Domain administrator accounts: DOMAIN\admin-***, DOMAIN\da-backup-***
  • Service accounts: svc-sql-***, DOMAIN\veeam-svc-***, svc-exchange-***
  • Local administrators: SERVER01\Administrator, SERVER02\localadmin

Script Details:

  • Decryption key found in script: 0jmz9Hrgy08rc0XrNpQ***[REDACTED]***
  • Affected systems: Domain controllers, Exchange servers, SQL databases, file servers, backup repositories

This approach provided the attackers with a comprehensive set of credentials for remote systems, domain controllers, and critical servers stored within the backup infrastructure.

Defense Evasion

The attackers deployed sophisticated anti-analysis tools to evade security solutions. Further probe confirmed that both 2stX.exe and Or2.exe utilize the eskle.sys driver for anti-AV capabilities through a BYOVD attack:

  • C:\Users\Administrator.<REDACTED>\Downloads\2stX.exe
  • C:\Users\Administrator.<REDACTED>\Downloads\Or2.exe
    • C:\Users\Administrator.<REDACTED>\Downloads\2stX\eskle.sys

The eskle.sys driver was utilized to disable security solutions, terminate processes, and evade detection. Although these files could have been downloaded or copied onto the machine earlier, the origin of the eskle.sys driver is unclear. Its digital signature lists the vendor as “拇指世界(北京)网络科技有限公“ (translated: Thumb World (Beijing) Network Technology Co., Ltd.), which appears to be associated with the game.bb site. The driver likely belongs to a game-related package and is commonly used by cheat developers to evade anti-cheat systems; however, it could also be repurposed by advanced persistent threat actors.

Read More HERE