Pierluigi Paganini
December 19, 2022
Trend Micro researchers have spotted a new variant of the Agenda ransomware (aka Qilin) that is written in Rust Language.
The move follows the decision of other ransomware gangs, like Hive, Blackcat, RansomExx, and Luna, of rewriting their ransomware into Rust. The main reasons to rewrite malware in Rust is to have lower AV detection rates, compared to malware written in most common languages, and to target multiple architectures.
The Qilin ransomware-as-a-service (RaaS) group uses a double-extortion model, with most of the victims in the manufacturing and IT industries. The researchers estimated that combined revenue surpasses US$550 million.
The ransomware was originally written in Go language and was employed in attacks aimed at healthcare and education sectors in countries like Thailand and Indonesia.
“Recently, we found a sample of the Agenda ransomware written in Rust language and detected as Ransom.Win32.AGENDA.THIAFBB.” reads the analysis published by Trend Micro. “The actors customized previous ransomware binaries for the intended victim through the use of confidential information such as leaked accounts and unique company IDs as the appended file extension. The Rust variant has also been seen using intermittent encryption, one of the emerging tactics that threat actors use today for faster encryption and detection evasion.”
Upon executing the malware, the Rust binary prompts an error requiring a password to be passed as an argument. This command-line feature was also implemented in the Golang version of the Agenda ransomware.
Passing the “—password” parameter in conjunction with a dummy password “AgendaPass,” the ransomware starts its malicious activity by terminating various processes and services.
The ransomware uses intermittent encryption to speed up the encryption process by partially encrypting the files depending on the values of certain flags. This tactic also allows for avoiding detections based on the analysis of read/write file operations.
“It also added the -n, -p, fast, skip,and step flags on its configurations, which are not present in the Golang variant configuration and only used via command-line argument. Upon further analysis, we have learned that these flags are used for intermittent encryption.” continues the analysis. “This tactic enables the ransomware to encrypt the victim’s files faster by partially encrypting the files depending on the values of the flags.”
The sample analyzed by the experts adds the extension “MmXReVIxLV” to the filenames of the encrypted files, then drops the ransom note in every directory.
Unlike past variants, the Rust version of the Agenda ransomware is able to terminate the Windows AppInfo process and disable User Account Control (UAC).
Trend Micro reported that Rust variants have an allocated space for adding accounts in their configuration to be used mostly for privilege escalation.
Unlike the previous Golang variant, the threat actors did not include the credentials of the victim in the configuration of the Rust variant to prevent researchers from visiting the ransomware’s chat support site and observing the threat actors’ conversations.
“An emerging ransomware family, Agenda has recently been targeting critical sectors such as healthcare and education industries. At present, its threat actors appear to be migrating their ransomware code to Rust as recent samples still lack some features seen in the original binaries written in the Golang variant of the ransomware.” concludes the report. “Rust language is becoming more popular among threat actors as it is more difficult to analyze and has a lower detection rate by antivirus engines.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
