Unveiling Qilin/Agenda Ransomware - A Deep Dive into Modern Cyber Threats

Phishing (T1566)

Due to the defense evasion steps taken by the attacker and the generally sparse data available, the initial access vector in this specific case could not be conclusively identified.

Noticeable however is that the company was successfully attacked with phishing e-mails multiple times six months and twelve months before this case. Those infections lead to malware execution, including AgentTesla and QakBot. Such malware could have been used to steal credentials. A clear connection to the ransomware case could not be established, but it is possible that credentials acquired back then were used to initiate the intrusion into the network.

Valid Accounts (T1078) & Valid Accounts: Domain Accounts (T1078.002)

We saw the attacker use valid credentials extensively. Valid credentials stolen at some point prior to the attack were likely the key to the network. It enabled the attacker to move quietly through the network, execute malware, and eventually exfiltrate data.

At a point in time that could not be identified, the attacker managed to compromise a domain admin account. That account was then almost exclusively used for all attacker actions.

Impair Defenses: Disable or Modify Tools (T1562.001)

The attacker was seen deactivating the Windows Defender Real-Time Protection on a workstation before deploying his tooling. This was not done immediately after connecting to the workstation, but rather after some local reconnaissance using legitimate tools and exploration of accessible data were already done.

With Windows Defender - the only line of endpoint defence - out of the way, the attacker could act without hinderance on the devices. The attacker was observed using PCHunter64.exe and PowerTool64.exe on multiple server systems. Based on official documentation for both tools, they are similar in function as Process Explorer. Though it remained undetermined what the attacker used these tools for, it is probable that the attacker employed them to deactivate security measures on the affected systems.

Indicator Removal: File Deletion (T1070.004)

The attacker appeared to be aware of the traces he left behind. He stored and executed all his tools from the directory C:\PerfLogs, which he ultimately cleared of all its content, effectively removing all executables and their outputs to evade analysis.

Indicator Removal: Clear Windows Event Logs (T1070.001)

Showing awareness of the value of Windows Event Logs in investigating his actions, the attacker promptly deleted all event logs on a system using PowerShell after completing the encryption process with the ransomware. Following command was used:

powershell $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ;
ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}

Network Share Discovery (T1135)

The attacker loaded a modified variant of ShareFinder with PowerShell:

import-module .\ShareFinder.ps1

Invoke-ShareFinder -CheckShareAccess -Verbose

The script was run with a domain admin account, meaning that the script identified all network shares that were accessible using high-privileged domain credentials.

Further Network Discovery

Employing various tools for network discovery, the perpetrator's specific intentions behind their use remained unidentified. These tools encompassed masscan, a portable version of netscan, and Angry IP Scanner.

Remote Services: Remote Desktop Protocol (T1021.001)

The attacker utilized RDP to move laterally through the network.

Application Layer Protocol (T1071)

Utilizing Cobalt Strike for Command and Control (C2) communication, the attacker systematically installed it on all servers within the network, as well as on at least one workstation. No running Cobalt Strike beacon could be captured, so the configuration could not be extracted. A number of C2 addresses were recovered based on network logs.

Remote Access Software (T1663)

The attacker installed the remote monitoring and management software AnyDesk, which was already in use in the network by administrators. But no use of that tool during the attack was identified.

Exfiltration Over Alternative Protocol (T1048)

FileZilla was employed across multiple systems over several days, presumably for data exfiltration purposes. However, the recovered configuration files did not disclose the destination of the transferred data.

Data Encrypted for Impact (T1486)

The attack ended with rollout of the Qilin/Agenda ransomware. The attacker encrypted all physical servers and reachable network shares. This also encrypted the virtual disks of all virtual machines deployed by the company. The ransomware was not spread to the workstations of the network.

The mechanism for spreading the ransomware could not be identified. The attacker possibly used his running Cobalt Strike instances.

Conclusion

The investigation revealed an attacker who was conscious of the traces left by his actions and implemented additional measures to erase them. Moreover, the attacker employed uncommon tools to accomplish his objectives. Inadequate logging of network traffic impeded the investigation, resulting in uncertainty regarding the attacker’s initial access and the extent of data exfiltration. In general, the techniques identified in this ransomware case align with those observed in other cases supported by SEC Defence.

We thank the incident response team from Perseus Technologies for their support in the investigation.

This blogpost has been conducted by Herbert Bärschneider and published on behalf of SEC Defence.