New Golang Ransomware Agenda Customizes Attacks

Analysis and notable features

The Agenda ransomware is a 64-bit Windows PE file written in Go. Go programs are cross-platform and completely standalone, meaning they will execute properly even without a Go interpreter installed on a system. This is possible since Go statically compiles necessary libraries (packages).

Upon execution, this ransomware accepts various command-line arguments that define the malware flow and functionality, as listed in the table below.

Argument  Description
-alter {int}  Defines the port number for this child process
-encryption {value}  Allows for redefining the embed encryptor config to the customized choice 
-ips {IP Address}  Allows for providing IP addresses 
-min-size {value}  Defines the minimum file size to encrypt (e.g., 1 KB, 1 MB, 1 GB, 666 KB) 
-no-proc  Defines the processes that will not be killed 
-no-services  Defines the services that will not be killed 
-password {string}   Defines the password to enter landing
-path {directory}  Defines the path that parses directories; if this flag is used and left empty, all directories will be scanned
-safe  Boots in safe mode 
-stat  Makes malware print its configuration (processes and services to be killed, encryption, etc.)  

Table 1. Command-line arguments accepted by Agenda

Agenda builds a runtime configuration to define its behavior, including its public RSA key, encryption conditions, list of processes and services to terminate, encryption extension, login credentials, and ransom note. 

Runtime configuration component  Description
public_rsa_pem  RSA public key
directory_black_list  Directories excluded from encryption
file_black_list  File names excluded from encryption
file_pattern_black_list  File name extensions excluded from encryption
process_black_list  Processes to terminate
win_services_black_list  Services to terminate
company_id  Encryption extension
accounts  Login credentials
note  Ransom note

Table 2. The runtime configuration components of Agenda

As part of its initial routine, Agenda determines if the machine is running in safe mode by checking the string safeboot in the data of this registry value: 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control SystemStartOptions 

If it detects that the machine is running in safe mode, it terminates execution. 

The ransomware then removes shadow volume copies via execution of vssadmin.exe delete shadows /all /quiet, as well as terminating specific processes and services indicated in its runtime configuration, some of which are antivirus-related processes and services. 

Processes  Services
a2service.exe  acronis vss provider 
a2start.exe  acronis vss provider 
aawservice.exe  acronisagent 
ashserv.exe  acronisagent 
avengine.exe  acronisagentd
avkwctl.exe  avbackup 
blackd.exe  avbackupd
cfp.exe  ccevtmgr
fsav32.exe   macmnsvc
fsdfwd.exe  macmnsvcd 
fsguiexe.exe   masvc
kpf4gui.exe  masvcd
mcods.exe  mcshield
mcpalmcfg.exe  sentinelagent 
mcproxy.exe  sentinelagentd
mcregwiz.exe  sentinelhelperservice 
mcsacore.exe  sentinelhelperserviced 
mcshield.exe  sentinelstaticengine 
mpfagent.exe  sentinelstaticengined
mpfservice.exe  shmonitor 
msmpeng.exe  shmonitord
msscli.exe  smcinst
nisum.exe  tmccsf 
ntrtscan.exe  tmccsfd
pccpfw.exe  tmlisten 
tmntsrv.exe  tmlistend

Table 3. Some of the antivirus-related processes and services terminated by Agenda

After its initial routine, Agenda proceeds to create the runonce autostart entry *aster pointing to enc.exe, which is a dropped copy of itself under the Public folder:  

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce*aster = %Public%\enc.exe

Changing user passwords and rebooting in safe mode

Agenda also deploys a detection evasion technique during encryption: It changes the default user’s password and enables automatic login with the new login credentials. This feature can be enabled using the -safe command-line argument. Similar to REvil, Agenda reboots the victim’s machine in safe mode and then proceeds with the encryption routine upon reboot. 

To begin, Agenda lists all local users found on the device and then checks which one is set as the default user.  

Read More HERE