New Golang Ransomware Agenda Customizes Attacks

The Agenda ransomware is a 64-bit Windows PE file written in Go. Go programs are cross-platform and completely standalone, meaning they will execute properly even without a Go interpreter installed on a system.
This is possible since Go statically compiles necessary libraries (packages).

Upon execution, this ransomware accepts various command-line arguments that define the malware flow and functionality.
Agenda builds a runtime configuration to define its behavior, including its public RSA key, encryption conditions, list of processes and services to terminate, encryption extension, login credentials, and ransom note.
As part of its initial routine, Agenda determines if the machine is running in safe mode by checking the string safeboot in the data of this registry value:

HKEY_LOCAL_MACHINESystemCurrentControlSetControl SystemStartOptions

If it detects that the machine is running in safe mode, it terminates execution.

The ransomware then removes shadow volume copies via execution of vssadmin.exe delete shadows /all /quiet, as well as terminating specific processes and services indicated in its runtime configuration, some of which are antivirus-related processes and services.

After its initial routine, Agenda proceeds to create the runonce autostart entry *aster pointing to enc.exe, which is a dropped copy of itself under the Public folder:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce*aster = %Public%enc.exe

Agenda also deploys a detection evasion technique during encryption: It changes the default user’s password and enables automatic login with the new login credentials. This feature can be enabled using the -safe command-line argument. Similar to REvil, Agenda reboots the victim’s machine in safe mode and then proceeds with the encryption routine upon reboot.

Agenda is also associated with the compromise of an entire network and its shared drivers. It is not only about the encryption of data on one workstation.

The ransomware adds a registry and then restarts the LanmanWorkstation service. After adding a new registry, it uses key [EnableLinkedConnections = 1] in the Enabling Mapped Drives drivers and then in restarting the LanmanWorkstation service. This will allow Agenda to list network drives in elevated programs like cmd.

Sign Up For Threat Alerts

Loading...
Threats Icon

Sep 21, 2022

Magic Rat

Cisco Talos has discovered a new remote access trojan (RAT), which analysts are calling "MagicRAT,"...

Threats Icon

Sep 21, 2022

Malicious Word Document with a Frameset

Xavier Mertens spotted a malicious Word OOXML document (with the new ".docx" format) that is...

Threats Icon

Sep 18, 2022

US Cert Alert – Iranian Islamic Revolutionary...

The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple...

Threats Icon

Sep 15, 2022

Opsec Mistakes Reveal COBALT MIRAGE Threat Actors

In this incident, COBALT MIRAGE exploited the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). It is...

Threats Icon

Sep 14, 2022

Dead or Alive – An Emotet Story

The DFIR Report observed a domain-wide compromise that started from a malware ridden Excel document...

Threats Icon

Sep 13, 2022

Dead or Alive? An Emotet Story

The DFIR Report observed a domain-wide compromise that started from a malware ridden Excel document...

Threats Icon

Sep 12, 2022

Shikitega – New stealthy malware targeting Linux

AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are...

Threats Icon

Sep 08, 2022

APT42: Crooked Charms, Cons and Compromises

Mandiant assesses with high confidence that APT42 is an Iranian state-sponsored cyber espionage group tasked...

Threats Icon

Sep 07, 2022

US Cert Alert – Vice Society

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the...

Threats Icon

Sep 07, 2022

Worok – The big picture

ESET researchers recently found targeted attacks that used undocumented tools against various high-profile companies and...

Threats Icon

Sep 07, 2022

MuddyWater Targets Israel With Log4j Vulnerabilities In...

In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team...

Threats Icon

Sep 05, 2022

No Honor Among Thieves – Prynt Stealer’s...

Stealing information is fundamental to cybercriminals today to scope and gain access to systems, profile...

Threats Icon

Sep 05, 2022

Grandoreiro Banking Trojan with New TTPs Targeting...

Recently Zscaler ThreatLabz observed a Grandoreiro campaign targeting organizations in the Spanish-speaking nations of Mexico...

Threats Icon

Sep 01, 2022

A Tale of PivNoxy and Chinoxy Puppeteer

An attack against a telecommunications agency in South Asia began with a simple email that...

Threats Icon

Aug 31, 2022

ModernLoader delivers multiple stealers cryptominers and RATs

Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering...