Unveiling Qilin/Agenda Ransomware - A Deep Dive into Modern Cyber Threats

defence

Starting the weekend on a positive note is everyone's goal, but unexpectedly facing ransomware holding your data and servers hostage is far from desirable. Unfortunately, that's exactly the scenario we encountered earlier this year.

Ransomware

SEC Defence, the managed incident response unit of SEC Consult, teamed up with our partners at Perseus Technologies to respond to a recent victim of the Qilin/Agenda ransomware gang.

Agenda ransomware, also known as 'Qilin,' first emerged in July 2022. Written in Golang, Agenda supports multiple encryption modes, all controlled by its operators. The Agenda ransomware actors use double extortion tactics, demanding payment for both a decryptor and the non-release of stolen data. This ransomware primarily targets large enterprises and high-value organizations, focusing particularly on the healthcare and education sectors in Africa and Asia. Victims are often targeted through phishing and spear phishing emails, as well as by exploiting exposed applications and interfaces such as Citrix and remote desktop protocol (RDP).

Despite limited initial visibility, we discovered rare tools used by this attacker group, which has less public information available compared to other ransomware gangs. We aim to share the Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) uncovered during our investigation to aid the community in future cases involving the Qilin/Agenda ransomware group.

 

Qulin Mitre Matrix
Figure 1: MITRE ATT&CK matrix for the investigation

Tactics, Techniques & Procedures (TTPs)

Due to the low visibility in the investigation, the TTPs are likely incomplete. Following we note all clearly identified TTPs and ones that the attacker likely used.

Phishing (T1566)

Due to the defense evasion steps taken by the attacker and the generally sparse data available, the initial access vector in this specific case could not be conclusively identified.

Noticeable however is that the company was successfully attacked with phishing e-mails multiple times six months and twelve months before this case. Those infections lead to malware execution, including AgentTesla and QakBot. Such malware could have been used to steal credentials. A clear connection to the ransomware case could not be established, but it is possible that credentials acquired back then were used to initiate the intrusion into the network.

Valid Accounts (T1078) & Valid Accounts: Domain Accounts (T1078.002)

We saw the attacker use valid credentials extensively. Valid credentials stolen at some point prior to the attack were likely the key to the network. It enabled the attacker to move quietly through the network, execute malware, and eventually exfiltrate data.

At a point in time that could not be identified, the attacker managed to compromise a domain admin account. That account was then almost exclusively used for all attacker actions.

Impair Defenses: Disable or Modify Tools (T1562.001)

The attacker was seen deactivating the Windows Defender Real-Time Protection on a workstation before deploying his tooling. This was not done immediately after connecting to the workstation, but rather after some local reconnaissance using legitimate tools and exploration of accessible data were already done.

With Windows Defender - the only line of endpoint defence - out of the way, the attacker could act without hinderance on the devices. The attacker was observed using PCHunter64.exe and PowerTool64.exe on multiple server systems. Based on official documentation for both tools, they are similar in function as Process Explorer. Though it remained undetermined what the attacker used these tools for, it is probable that the attacker employed them to deactivate security measures on the affected systems.

Indicator Removal: File Deletion (T1070.004)

The attacker appeared to be aware of the traces he left behind. He stored and executed all his tools from the directory C:\PerfLogs, which he ultimately cleared of all its content, effectively removing all executables and their outputs to evade analysis.

Indicator Removal: Clear Windows Event Logs (T1070.001)

Showing awareness of the value of Windows Event Logs in investigating his actions, the attacker promptly deleted all event logs on a system using PowerShell after completing the encryption process with the ransomware. Following command was used:

powershell $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ;
ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}

Network Share Discovery (T1135)

The attacker loaded a modified variant of ShareFinder with PowerShell:

import-module .\ShareFinder.ps1

Invoke-ShareFinder -CheckShareAccess -Verbose

The script was run with a domain admin account, meaning that the script identified all network shares that were accessible using high-privileged domain credentials.

Further Network Discovery

Employing various tools for network discovery, the perpetrator's specific intentions behind their use remained unidentified. These tools encompassed masscan, a portable version of netscan, and Angry IP Scanner.

Remote Services: Remote Desktop Protocol (T1021.001)

The attacker utilized RDP to move laterally through the network.

Application Layer Protocol (T1071)

Utilizing Cobalt Strike for Command and Control (C2) communication, the attacker systematically installed it on all servers within the network, as well as on at least one workstation. No running Cobalt Strike beacon could be captured, so the configuration could not be extracted. A number of C2 addresses were recovered based on network logs.

Remote Access Software (T1663)

The attacker installed the remote monitoring and management software AnyDesk, which was already in use in the network by administrators. But no use of that tool during the attack was identified.

Exfiltration Over Alternative Protocol (T1048)

FileZilla was employed across multiple systems over several days, presumably for data exfiltration purposes. However, the recovered configuration files did not disclose the destination of the transferred data.

Data Encrypted for Impact (T1486)

The attack ended with rollout of the Qilin/Agenda ransomware. The attacker encrypted all physical servers and reachable network shares. This also encrypted the virtual disks of all virtual machines deployed by the company. The ransomware was not spread to the workstations of the network.

The mechanism for spreading the ransomware could not be identified. The attacker possibly used his running Cobalt Strike instances.

Indicators of Compromise (IOCs)

Type Indicator Description
URL hxxp://194.165.16[.]55:80/a Used to download Cobalt Strike
URL security-socks777[.]com Contacted Cobalt Strike Server
URL security-socks[.]expert Contacted Cobalt Strike Server
URL jango-pulse[.]com Contacted Cobalt Strike Server
URL blm-wiki[.]com Contacted Cobalt Strike Server
IP 194.165.16[.]55 IP address recorded for the URLs security-socks777[.]com and security-socks[.]expert
IP 188.114.96[.]3 IP address recorded for the URL blm-wiki[.]com
Folder C:\PerfLogs Preferred folder of the attacker for placing tools and their output
File C:\PerfLogs\update.exe Ransomware binary
File FileZilla_3.66.5_win64-setup.exe Used to install FileZilla for data exfiltration
File FileZilla_3.64.0_win64-setup.exe Used to install FileZilla for data exfiltration
File PCHunter64.exe -
File Powertool64.exe -
File ipscan.exe Angry IP Scanner
File netscan_portable.exe -
File WinPcap_4_1_3.exe Used with masscan
File mimikatz.exe -
File adfind.exe -
File ShareFinder.ps1  
Computer DESKTOP-NTOTKE1 Name of the attacker system leaked through RDP connections

Conclusion

The investigation revealed an attacker who was conscious of the traces left by his actions and implemented additional measures to erase them. Moreover, the attacker employed uncommon tools to accomplish his objectives. Inadequate logging of network traffic impeded the investigation, resulting in uncertainty regarding the attacker’s initial access and the extent of data exfiltration. In general, the techniques identified in this ransomware case align with those observed in other cases supported by SEC Defence.

We thank the incident response team from Perseus Technologies for their support in the investigation.

 

This blogpost has been conducted by Herbert Bärschneider and published on behalf of SEC Defence

About the author

Herbert Bärschneider

Security Consultant

Herbert works as a forensic analyst in the Managed Incident Response team of SEC Consult. In parallel to his operational work, he is finishing a masters program and explores niche operating systems for forensic artifacts. He values giving back to the community by contributing to triage and threat hunting capabilities.