www.trendmicro.com
Open in
urlscan Pro
184.29.136.154
Public Scan
URL:
https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates-to-vcenters-and-esxi-via-custom-pow.html
Submission: On June 06 via api from IT — Scanned from IT
Submission: On June 06 via api from IT — Scanned from IT
Form analysis
1 forms found in the DOM<form class="main-menu-search" aria-label="Search Trend Micro" data-equally-id="equally_ai___PDMeE">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>
Text Content
Business search close * Solutions * By Challenge * By Challenge * By Challenge Learn more * Understand, Prioritize & Mitigate Risks * Understand, Prioritize & Mitigate Risks Improve your risk posture with attack surface management Learn more * Protect Cloud-Native Apps * Protect Cloud-Native Apps Security that enables business outcomes Learn more * Protect Your Hybrid World * Protect Your Hybrid, Multi-Cloud World Gain visibility and meet business needs with security Learn more * Securing Your Borderless Workforce * Securing Your Borderless Workforce Connect with confidence from anywhere, on any device Learn more * Eliminate Network Blind Spots * Eliminate Network Blind Spots Secure users and key operations throughout your environment Learn more * See More. Respond Faster. * See More. Respond Faster. Move faster than your adversaries with powerful purpose-built XDR, attack surface risk management, and zero trust capabilities Learn more * Extend Your Team * Extend Your Team. Respond to Threats Agilely Maximize effectiveness with proactive risk reduction and managed services Learn more * Operationalizing Zero Trust * Operationalizing Zero Trust Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console Learn more * By Role * By Role * By Role Learn more * CISO * CISO Drive business value with measurable cybersecurity outcomes Learn more * SOC Manager * SOC Manager See more, act faster Learn more * Infrastructure Manager * Infrastructure Manager Evolve your security to mitigate threats quickly and effectively Learn more * Cloud Builder and Developer * Cloud Builder and Developer Ensure code runs only as intended Learn more * Cloud Security Ops * Cloud Security Ops Gain visibility and control with security designed for cloud environments Learn more * By Industry * By Industry * By Industry Learn more * Healthcare * Healthcare Protect patient data, devices, and networks while meeting regulations Learn more * Manufacturing * Manufacturing Protecting your factory environments – from traditional devices to state-of-the-art infrastructures Learn more * Oil & Gas * Oil & Gas ICS/OT Security for the oil and gas utility industry Learn more * Electric Utility * Electric Utility ICS/OT Security for the electric utility Learn more * Federal * Federal Learn more * Automotive * Automotive Learn more * 5G Networks * 5G Networks Learn more * Small & Midsized Business Security * Small & Midsized Business Security Stop threats with comprehensive, set-it-and-forget-it protection Learn more * Platform * Vision One Platform * Vision One Platform * Trend Vision One Our Unified Platform Bridge threat protection and cyber risk management Learn more * AI Companion * Trend Vision One Companion Your generative AI cybersecurity assistant Learn more * Attack Surface Management * Attack Surface Management Stop breaches before they happen Learn more * XDR (Extended Detection & Response) * XDR (Extended Detection & Response) Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Cloud Security * Cloud Security * Trend Vision One™ Cloud Security Overview The most trusted cloud security platform for developers, security teams, and businesses Learn more * Attack Surface Risk Management for Cloud * Attack Surface Risk Management for Cloud Cloud asset discovery, vulnerability prioritization, Cloud Security Posture Management, and Attack Surface Management all in one Learn more * XDR for Cloud * XDR for Cloud Extend visibility to the cloud and streamline SOC investigations Learn more * Workload Security * Workload Security Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities Learn more * Container Security * Container Security Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection Learn more * File Security * File Security Protect application workflow and cloud storage against advanced threats Learn more * Endpoint Security * Endpoint Security * Endpoint Security Overview Defend the endpoint through every stage of an attack Learn more * XDR for Endpoint * XDR for Endpoint Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Workload Security * Workload Security Optimized prevention, detection, and response for endpoints, servers, and cloud workloads Learn more * Industrial Endpoint Security * Industrial Endpoint Security Learn more * Mobile Security * Mobile Security On-premises and cloud protection against malware, malicious applications, and other mobile threats Learn more * Network Security * Network Security * Network Security Overview Expand the power of XDR with network detection and response Learn more * XDR for Network * XDR for Network Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Network Intrusion Prevention (IPS) * Network Intrusion Prevention (IPS) Protect against known, unknown, and undisclosed vulnerabilities in your network Learn more * Breach Detection System (BDS) * Breach Detection System (BDS) Detect and respond to targeted attacks moving inbound, outbound, and laterally Learn more * Secure Service Edge (SSE) * Secure Service Edge (SSE) Redefine trust and secure digital transformation with continuous risk assessments Learn more * Industrial Network Security * Industrial Network Security Learn more * 5G Network Security * 5G Network Security Learn more * Email Security * Email Security * Email Security Stop phishing, malware, ransomware, fraud, and targeted attacks from infiltrating your enterprise Learn more * Email and Collaboration Security * Trend Vision One™ Email and Collaboration Security Stop phishing, ransomware, and targeted attacks on any email service including Microsoft 365 and Google Workspace Learn more * OT Security * OT Security * OT Security Learn about solutions for ICS / OT security. Learn more * XDR for OT * XDR for OT Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Industrial Network Security * Industrial Network Security Industrial Network Security * Industrial Endpoint Security * Industrial Endpoint Security Learn more * Threat Intelligence * Threat Intelligence Keep ahead of the latest threats and protect your critical data with ongoing threat prevention and analysis Learn more * Identity Security * Identity Security End-to-end identity security from identity posture management to detection and response Learn more * On-Premises Data Sovereignty * On-Premises Data Sovereignty Prevent, detect, respond and protect without compromising data sovereignty Learn more * All Products, Services, and Trials * All Products, Services, and Trials Learn more * Research * Research * Research * Research Learn more * Research, News, and Perspectives * Research, News, and Perspectives Learn more * Research and Analysis * Research and Analysis Learn more * Security News * Security News Learn more * Zero Day Initiatives (ZDI) * Zero Day Initiatives (ZDI) Learn more * Services * Our Services * Our Services * Our Services Learn more * Service Packages * Service Packages Augment security teams with 24/7/365 managed detection, response, and support Learn more * Managed XDR * Managed XDR Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks Learn more * Incident Response * Incident Response * Incident Response Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans Learn more * Insurance Carriers and Law Firms * Insurance Carriers and Law Firms Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs Learn more * Support Services * Support Services Learn more * Partners * Partner Program * Partner Program * Partner Program Overview Grow your business and protect your customers with the best-in-class complete, multilayered security Learn more * Managed Security Service Provider * Managed Security Service Provider Deliver modern security operations services with our industry-leading XDR Learn more * Managed Service Provider * Managed Service Provider Partner with a leading expert in cybersecurity, leverage proven solutions designed for MSPs Learn more * Cloud Service Provider * Cloud Service Provider Add market-leading security to your cloud service offerings – no matter which platform you use Learn more * Professional Services * Professional Services Increase revenue with industry-leading security Learn more * Resellers * Resellers Discover the possibilities Learn more * Marketplace * Marketplace Learn more * System Integrators * System Integrators Learn more * Alliance Partners * Alliance Partners * Alliance Overview We work with the best to help you optimize performance and value Learn more * Technology Alliance Partners * Technology Alliance Partners Learn more * Our Alliance Partners * Our Alliance Partners Learn more * Partner Tools * Partner Tools * Partner Tools Learn more * Partner Login * Partner Login Login * Education and Certification * Education and Certification Learn more * Partner Successes * Partner Successes Learn more * Distributors * Distributors Learn more * Find a Partner * Find a Partner Learn more * Company * Why Trend Micro * Why Trend Micro * Why Trend Micro Learn more * Customer Success Stories * Customer Success Stories Learn more * The Human Connection * The Human Connection Learn more * Industry Accolades * Industry Accolades Learn more * Strategic Alliances * Strategic Alliances Learn more * Compare Trend Micro * Compare Trend Micro * Compare Trend Micro See how Trend outperforms the competition Let's go * vs. Crowdstrike * Trend Micro vs. Crowdstrike Crowdstrike provides effective cybersecurity through its cloud-native platform, but its pricing may stretch budgets, especially for organizations seeking cost-effective scalability through a true single platform Let's go * vs. Microsoft * Trend Micro vs. Microsoft Microsoft offers a foundational layer of protection, yet it often requires supplemental solutions to fully address customers' security problems Let's go * vs. Palo Alto Networks * Trend Micro vs. Palo Alto Networks Palo Alto Networks delivers advanced cybersecurity solutions, but navigating its comprehensive suite can be complex and unlocking all capabilities requires significant investment Let's go * About Us * About Us * About Us Learn more * Trust Center * Trust Center Learn more * History * History Learn more * Diversity, Equity and Inclusion * Diversity, Equity and Inclusion Learn more * Corporate Social Responsibility * Corporate Social Responsibility Learn more * Leadership * Leadership Learn more * Security Experts * Security Experts Learn more * Internet Safety and Cybersecurity Education * Internet Safety and Cybersecurity Education Learn more * Legal * Legal Learn more * Investors * Investors Learn more * Formula E Racing * Formula E Racing Learn more * Connect With Us * Connect With Us * Connect With Us Learn more * Newsroom * Newsroom Learn more * Events * Events Learn more * Careers * Careers Learn more * Webinars * Webinars Learn more Back Back Back Back * Free Trials * Contact Us Looking for home solutions? Under Attack? 3 Alerts Back Unread All * Ransomware in Q1 2024: Report on Phobos, LockBit, and other critical threats close Read report > * Deepfakes and AI-driven disinformation threaten polls close Get the facts > * Report on the email threat landscape close Learn the latest defense strategies > Folio (0) Support * Business Support Portal * Business Community * Virus and Threat Help * Education and Certification * Contact Support * Find a Support Partner Resources * Trend Micro vs. Competition * Cyber Risk Index/Assessment * CISO Resource Center * DevOps Resource Center * What Is? * Threat Encyclopedia * Cloud Health Assessment * Cyber Insurance * Glossary of Terms * Webinars Log In * Vision One * Support * Partner Portal * Cloud One * Product Activation and Management * Referral Affiliate Back arrow_back search close Content has been added to your Folio Go to Folio (0) close Ransomware AGENDA RANSOMWARE PROPAGATES TO VCENTERS AND ESXI VIA CUSTOM POWERSHELL SCRIPT This blog entry discusses the Agenda ransomware group's use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers. By: Arianne Dela Cruz, Raymart Yambot, Raighen Sanchez, Darrel Tristan Virtusio March 26, 2024 Read time: 5 min (1406 words) Save to Folio Subscribe -------------------------------------------------------------------------------- Since its discovery in 2022, the Agenda Ransomware group (also known as Qilin) has been active and in development. Agenda, which Trend Micro tracks as Water Galura, continues infecting victims globally with the US, Argentina, and Australia, and Thailand being among its top targets (based on the threat actor’s leak site data). Meanwhile the Agenda ransomware was used to target several industries, such as finance and law. Figure 1. The distribution by country of Agenda’s victims (March 2024) Figure 2. The distribution by industry of Agenda’s victim organizations (March 2024) Furthermore, based on Trend threat intelligence data, Agenda ransomware detections increased beginning December 2023, in contrast to the number of detections in November, which shows that its operators are either becoming more active, or are reaching a greater number of targets. We recently encountered updated versions of the ransomware, specifically for its Rust variant. Based on what we’ve observed, Agenda ransomware group uses Remote Monitoring and Management (RMM) tools, as well as Cobalt Strike for deployment of the ransomware binary. As for the Agenda ransomware executable, it can also propagate via PsExec and SecureShell, while also making use of different vulnerable SYS drivers for defense evasion. Figure 3. Agenda ransomware infection chain based on recent observations download EXECUTION T1059.003 Command and Scripting Interpreter The most recent version of the Agenda ransomware contains multiple command-line arguments. The table below shows a comparison of the arguments we encountered last July 2023 compared to the version we found in February 2024. Commands in bold text are changes from previous versions. Agenda Rust 2023 Agenda Rust February 2024 Details -ips --ips Allows for providing IP addresses -password --password Password to proceed to the landing page -paths --paths Defines the path that parses directories; if this flag is used and left empty, all directories will be scanned -propagate --spread Propagate to remote machines via PsExec -safe --safe Restart in safe mode -debug --debug Debug mode -timer --timer Time delay before execution -exclude --exclude Exclude specified directory for encryption -no-proc --no-proc no process termination -no-services --no-services no service termination -no-domain --no-domain no domain encryption -no-network --no-network no network encryption --no-sandbox disable sandbox detection --no-escalate no escalating privileges --impersonate Impersonate tokens --no-local no local encryption --no-ef no extension filter --no-ff no file filter --no-df no directory filter --no-vm no terminating VM machines --kill-cluster disables VM clusters --no-extension no extension appended --no-wallpaper no wallpaper modification --no-note no ransom note dropping --no-delete don’t delete directories --no-destruct no deleting itself --no-zero --print-image print ransom note --print-delay delay printing for n seconds --force --spread-vcenter propagate in vCenter and ESXi --dry-run --escalated escalated privileges --parent-sid specify SID --spread-process Executed to spread and execute the sample Table 1. Agenda Rust command-line Arguments LATERAL MOVEMENT T1021.004 Remote Services – SSH When executed with the command-line --spread-vcenter, Agenda will use a custom PowerShell script embedded in the binary to propagate across VMWare vCenter and ESXi servers. This can potentially impact the virtual machines and even the whole virtual infrastructure, leading to data and financial loss, as well as the disruption of services running on virtual environments. Figure 4. PowerShell Script used for propagation To execute, Agenda requires users to input their credentials in the target vCenter or ESXi host, and specify the path of the ESXi binary to propagate. Since this is executed in an interactive shell, this may indicate that the threat actors are the ones who will input these credentials into the machine upon deployment. Figure 5. Console for inputting vCenter or ESXi credentials The PowerShell script is executed in-memory as a memory stream on a running PowerShell process, making its execution fileless (since the script will not be present in the machine). Figure 6. Writing the PowerShell script in memory Once loaded, the script first checks if its dependencies are installed: Figure 7. Commands for checking required modules Afterwards, it connects to the host names specified by the attacker and changes the root password for all ESXi hosts. The new password will be the one required by Agenda for execution. This effectively prevents victims from accessing the compromised host even after encryption is done. Figure 8. Changing ESXi host passwords SSH would then be enabled for file transfer. Figure 9. Enabling SSH in ESXi Once SSH is enabled, it would proceed with creating an SSH session that will be used to upload the ESXi binary: Figure 10. Creating an SSH session. After a successful upload, the payload will be executed on the target host, effectively compromising the system. Figure 11. Uploading and executing the ESXi binary T1570 Lateral Tool Transfer Agenda has also changed its propagation command-line to --spread, making it more evident. To do this, PsExec is dropped in the following path: %User Temp%\{random}.exe Next, it will execute the PsExec file using the following command: "cmd" /C %User Temp%\{random}.exe -accepteula \\ -c -f -h -d "{Malware File Path}" --password {Password required}--spread {host name} --spread-process IMPACT T1486 Data Encrypted for Impact Agenda also added a feature to print ransom notes on connected printers. It copies the ransom note inl %User Temp%\{Generated file name}, and executes the following commands: “powershell" -Command "Get-Printer | Format-List Name,DriverName – used to get printer drivers. "powershell" -Command " Timeout /T '0' ; Get-Content -Path '%User Temp%\{Generated file name}' | Out-Printer -Name '{Printer Name}' " The latter command is used to print the ransom note on a specified printer. Figure 12. Printing the Ransom Note DEFENSE EVASION T1480 Execution Guardrails The latest version of Agenda can now terminate VMclusters (a group of Virtual Machines/ESXi hosts configured to share resources). It does so by executing the following commands: · PowerShell -Command “Stop-Cluster -Force” T1211 Exploitation for Defense Evasion From our recent encounters with Agenda, we observed malicious actors employing the Bring Your Own Vulnerable Driver (BYOVD) technique to evade detection by security systems. BYOVD is not new and has been abused by multiple threat groups such as the Kasseika ransomware (using a signed Martini.sys driver), the Akira ransomware group, and the AvosLocker ransomware group. In the Agenda ransomware’s case, we saw that for each infection chain, it appears to be leveraging different vulnerable drivers to disable different security tools. Figure 13. A SYS driver used by the Agenda ransomware Some drivers we have observed being leveraged by the Agenda ransomware is YDark, a publicly available tool designed for kernel manipulation, as well as Spyboy’s Terminator tool used to bypass AVs and EDRs (Endpoint Detection and Response). Using different vulnerable drivers for defense evasion highlights how ransomware can adapt, presenting a significant challenge for cybersecurity defenses trying to stop it. CONCLUSION AND RECOMMENDATIONS The Agenda ransomware’s ability to spread to virtual machine infrastructure shows that its operators are also expanding to new targets and systems, therefore organizations should be aware of the group’s activities and implement security measures to protect themselves from these kinds of ransomware, such as: * Only granting employees administrative rights and access when necessary. * Performing period scans and ensure that security products are updated regularly. * Regularly backing up data to ensure as a failsafe measure for data loss. * Exercising good email and website safety practices; avoid downloading attachments, clicking on URLs, and downloading applications unless certain of the source’s legitimacy. * Conducting regular user education on the dangers of social engineering. A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises. Trend Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools before ransomware can do any damage. Trend Cloud One™ – Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning. Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware. Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints. With additional analysis from Nathaniel Morales, Maristel Policarpio, CJ Arsley Mateo, Don Ladores Vision One hunting query The following query lists potentially useful queries for threat hunting within Vision One: (fullPath:("C:\Users\Public\enc.exe" OR "C:\Users\Public\pwndll.dll") OR malName:*agenda*) OR (objectFilePath: ("C:\Users\Public\enc.exe" OR "C:\Users\Public\pwndll.dll")) INDICATORS OF COMPROMISE The indicators of compromise for this entry can be found here. Tags Endpoints | Ransomware | Research | Articles, News, Reports AUTHORS * Arianne Dela Cruz Threats Analyst * Raymart Yambot Threats Analyst * Raighen Sanchez Threat Response Engineer * Darrel Tristan Virtusio Cybersecurity Threat Engineer Contact Us Subscribe RELATED ARTICLES * Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers * TargetCompany’s Linux Variant Targets ESXi Environments * SANS's 2024 Threat-Hunting Survey Review See all articles Try our services free for 30 days * Start your free trial today * * * * * RESOURCES * Blog * Newsroom * Threat Reports * DevOps Resource Center * CISO Resource Center * Find a Partner SUPPORT * Business Support Portal * Contact Us * Downloads * Free Trials * * ABOUT TREND * About Us * Careers * Locations * Upcoming Events * Trust Center * Country Headquarters Trend Micro - United States (US) 225 East John Carpenter Freeway Suite 1500 Irving, Texas 75062 Phone: +1 (817) 569-8900 Select a country / region United States expand_more close THE AMERICAS * United States * Brasil * Canada * México MIDDLE EAST & AFRICA * South Africa * Middle East and North Africa EUROPE * België (Belgium) * Česká Republika * Danmark * Deutschland, Österreich Schweiz * España * France * Ireland * Italia * Nederland * Norge (Norway) * Polska (Poland) * Suomi (Finland) * Sverige (Sweden) * Türkiye (Turkey) * United Kingdom ASIA & PACIFIC * Australia * Центральная Азия (Central Asia) * Hong Kong (English) * 香港 (中文) (Hong Kong) * भारत गणराज्य (India) * Indonesia * 日本 (Japan) * 대한민국 (South Korea) * Malaysia * Монголия (Mongolia) and рузия (Georgia) * New Zealand * Philippines * Singapore * 台灣 (Taiwan) * ประเทศไทย (Thailand) * Việt Nam Privacy | Legal | Accessibility | Site map Copyright ©2024 Trend Micro Incorporated. All rights reserved sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk This website uses cookies for website functionality, traffic analytics, personalization, social media functionality and advertising. Our Cookie Notice provides more information and explains how to amend your cookie settings.Learn more Cookies Settings Accept ✓ Grazie per la condivisione! AddToAny Più… word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1Sumo