Uncovering Qilin attack methods exposed through multiple cases

pThe Qilin formerly Agenda ransomware group has been active since around July 2022 This group employs a doubleextortion strategy combining file encryption with the public disclosure of stolen information Figure 1 illustrates the leak site used by the attackers to publish lists of compromised companiesppOver the past several years Qilin has expanded its operations and now ranks among the most prolific and damaging ransomware threats on a global scale The group adopts a RansomwareasaService RaaS business model where it develops and distributes ransomware platforms and associated tools to affiliates In turn these affiliates attack organizations worldwidepp Current reporting indicates that the countries most severely affected include the United States followed by Canada the United Kingdom France and GermanyppFigure 3 illustrates the number of victims whose information was posted on Qilin ransomware leak siteppThe data shows that the number of postings reached a peak of 100 cases in June 2025 with a nearly equivalent figure recorded again in August Although the number of victims fluctuates from month to month it is noteworthy that except for January every month recorded more than 40 cases These findings indicate that Qilin continues to pose a persistent and significant threatppThe most heavily affected sector is manufacturing which accounts for approximately 23 of all reported cases significantly outpacing other industries The second most impacted sector is professional and scientific services representing around 18 Wholesale trade ranks third with about 10 of casesppIn the midrange several key sectors that form part of social infrastructurehealthcare construction retail education and financeeach report similar levels of impact averaging around 5ppAt the lower end sectors such as services and primary industries show relatively fewer incidents remaining below 2 on averageppIn 2025 Cisco Talos responded to multiple incidents related to Qilin ransomware The overall attack flow is illustrated in Figure 5 and subsequent sections provide a detailed description of the tactics techniques and procedures TTPs observed in each phaseppTalos was unable to definitively identify a single confirmed initial intrusion vector However in some cases we assess with moderate confidence that attackers abused administrative credentials leaked on the dark web to gain VPN access and may have also used Group Policy AD GPO changes enabling RDP to reach victim networksppIn the incident illustrated in Figure 6 Talos confirmed that credentials had been exposed on the dark web Approximately two weeks later numerous NTLM authentication attempts were made against the VPN possibly using the leaked credentials The resulted in a successful intrusion From the compromised VPN the attackers performed RDP connections to the domain controller and the initially breached host While the activity is temporally correlated with the previously observed credential exposure there is insufficient evidence to establish a definitive causal link between the two eventsppNotably the VPN implicated in this case had no multifactor authentication MFA configured which would allow an attacker with credentials unfettered accessppAfter gaining access to the victims network the threat actor executed nltestexe and netexe to enumerate domain controllers and collect domain user informationppIn addition traces indicate that the adversary attempted to assess user privilege levels through execution of the whoami command enumerated active processes such as explorerexe via the tasklist command and utilized the netscan tool for further reconnaissanceppAs described in the Qilin Ransomware section below execution of the ransomware also resulted in enumeration of hostnames domain users groups and privilegesppIn the cases Talos examined we identified a passwordprotected folder containing a collection of tools apparently intended for credential theft Although the archive prevented full inspection of every file its contents suggest use of mimikatz several password recovery utilities published by NirSoft and custom script filesppThe lightbat batch file includes a reg add command that modifies the WDigest registry setting By setting UseLogonCredential to 1 Windows is configured to retain plaintext logon credentials in memory at authentication a behavior that can be exploited by credentialdumping tools such as Mimikatz to extract user passwordsppAfter executing the reg add command the batch file sequentially invoked netpassexe WebBrowserPassViewexe BypassCredGuardexe SharpDecryptPwd and ultimately Mimikatz Within the script see Figure 8 SharpDecryptPwd is configured to extract redirect and persist stored authentication data from multiple client applications including WinSCP Navicat Xmanager TeamViewer FileZilla Foxmail TortoiseSVN Google Chrome RDCMan and SunLogin thereby consolidating harvested credentials for subsequent use or exfiltrationppFollowing the execution of SharpDecryptPwd lightbat launched Mimikatz Figure 9ppCommands executed via Mimikatz targeted a range of sensitive data and system functions including clearing Windows event logs enabling SeDebugPrivilege extracting saved passwords from Chromes SQLite database recovering credentials from previous logons and harvesting credentials and configuration data related to RDP SSH and Citrixppparsvbs formatted and consolidated the stolen data into a resulttxt file which was subsequently exfiltrated to an attackercontrolled SMTP server Figure 10 The script specifies the windows1251 character encoding Cyrillic which may suggest the attacker or operator is from Eastern Europe or a Russianspeaking regionppOnce collected WinRAR packaged the targeted data and in some cases the archives were exfiltrated using opensource software Below are the actual arguments used to run WinRARexe The WinRAR command is configured to exclude the base folder and to create the archive without recursively processing subdirectoriesppFurthermore Talos found that the attackers used mspaintexe notepadexe and iexploreexe to open and inspect files while searching through numerous files for sensitive informationppIn recent trends the opensource software Cyberduck which enables file transfers to cloud servers has been widely abused in cases involving Qilin ransomware By abusing legitimate cloudbased services for exfiltration the attacker can obfuscate their activities within trusted domains and legitimate web traffic As shown in Figure 12 the Cyberduck history file indicates that a Backblaze host was specified as the destination and that a custom setting for splitmultipart uploads was enabled to transfer large filesppUsing the stolen credentials described above threat actor proceeds with privilege escalation and lateral movement Talos has observed compromised accounts accessing multiple IP addresses and their network shares as well as numerous NTLM authentication attempts against many VPN accounts possibly using the leaked credentials Additionally to enable remote access they modify firewall settings execute commands to change RDP settings via the registry and perform related activities such as using rdpclipexe and similar mechanismsppThe following command adds a specific account designated by the attacker to the local administrators group This grants them full control over the systemppThey also run a command to create a network share named c that exposes the entire C drive and assigns Full Control to the Everyone group allowing unrestricted access and modificationppThe attacker installed software that was different from the legitimately used Remote Monitoring and Management RMM tools this occurred before the ransomware was executed While Talos cannot definitively conclude that the installed RMM was used for lateral movement traces of multiple RMM tools were observed including AnyDesk Chrome Remote Desktop Distant Desktop GoToDesk QuickAssist and ScreenConnect Figure 13 shows an excerpt of an actual ScreenConnect connection log which indicates that ScreenConnect established a connection to the command and controlC2 server on port 8880ppFigure 14 and Figure 15 show two patterns of obfuscated PowerShell code encoded using numeric encoding intended to evade detectionppBelow is the decoded output of the above codeppExecuting these commands makes three configuration changes First disabling AMSI prevents interference with execution of payloads such as batch files and malware Second disabling TLS certificate validation removes barriers to contacting malicious domains or C2 servers Finally enabling Restricted Admin causes RDP authentication to rely on NT hashes or Kerberos tickets rather than passwords Although passwords are not retained NT hashes remain on the system and can be abused by an attacker to impersonate the userppDisable EDRppTalos observed traces of attempts to disable EDR using multiple methods Broadly speaking we have frequently observed commands that directly execute the EDRs uninstallexe or attempt to stop services using the sc command At the same time attackers have also been observed running opensource tools such as darkkill and HRSword The commands below are traces of darkkill usage Instead of running in normal user mode darksys is specified as a driver loaded into the Windows kernel and the service is started under the name dark The traces also show that as needed attackers reregister a driver from a different path and finally remove the service to erase their tracksppAdditionally to execute HRSwordexe attackers attempt to run a batch file with administrator privileges by using VBScript via mshta specifying the runas option in ShellExecute Because logs show that a shortcut file HRSwordlnk was created after 1 bat was executed it is possible that HRSwordexe is being launched via that lnk fileppBefore Qilin ransomware is executed Talos has observed cases in which remote access tools such as Cobalt Strike loader and SystemBC are run Cobalt Strike was discovered on the compromised host earlier but it is not clear whether Cobalt Strike installed SystemBCppThe Cobalt Strike loader Talos examined decrypts the encrypted payload contained in the bss section of the binary shown in Figure 16 then deploys and executes the Cobalt Strike Beacon in memoryppThe embedded encrypted payload is executed in memory following the flow shown in Figure 17 The CreateThreadpoolWait and SetThreadpoolWait APIs are Windows threadpool APIs Unlike the commonly used CreateThread API which immediately creates a new thread and begins executing code at a specified address they wait for events or object state changes and then automatically run worker callbacks ppIn this code the decryptedbuf is registered as the callback function via the arguments to CreateThreadpoolWait creating a mechanism that will invoke this callback when the wait object becomes signaled After that execute permission is granted with VirtualProtect and a MessageBoxA shown in the figure and intended for antisandbox purposes prompts for user interaction When the user clicks OK SetThreadpoolWait is called Because EventA was created with an initial signaled state bInitialState 1 the decrypted code already mapped into memory runs immediatelyppFor decryption a custom routine based on RC4 is implemented the first 2048 bytes are fully decrypted and thereafter decryption is performed in 32byte units in which only the first 24 bytes are decrypted The remaining 8 bytes stay encrypted so this behavior differs from standard RC4ppThe Cobalt Strike Beacon deployed in memory is configured from its config as Cobalt Strike version 4x with Malleable C2 used to spoof HTTP headers In this configuration the httpgetheader and httppostheader include Host ocspverisigncom effectively separating the visible host header from the actual destination to make the traffic appear as OCSP or certificate distribution traffic Communication is set to use HTTPS over TCP port 443 to the Team Server C2ppIn several cases a variant of Qilin ransomware known as QilinB was usedppThis section describes its behavior For more information please refer to Halcyons analysis article published in October 2024ppAttackers sometimes run only a single encryptor but Talos has also observed cases where two encryptor are deployed In cases where two encryptor are executed the first encryptor1exe was distributed across the environment using PsExec see the command below This command copies the local encryptor1exe to the remote IP address elevates it to run with administrative privileges and then launches it The other encryptor2exe is executed from a single system and targets multiple network sharesppA PowerShell command is being executed to efficiently retrieve the hostnames of all computers from Active Directory ADppAnother PowerShell command observed is one that installs the Remote Server Administration Tools for AD the RSATADPowerShell module It runs PowerShell cmdlets related to Active Directory Domain Services AD DS and Active Directory Lightweight Directory Services AD LDS This enables enumeration of domain users groups and privilegesppNext the command GetWinEvent ListLog is used to enumerate all event logs on the system Logs that contain records where RecordCount is not 0 are filtered and the NET EventLogSessionGlobalSessionClearLog method is called to wipe them entirelyppFinally the PowerShell script targeting hosts in virtualized environments is hardcodedppAs part of its PowerShell operation it establishes a connection to the vCenter server enumerates all datacenters and clusters within the vCenter environment and disables HA and DRS in cluster configurations see Figure 21ppIt then enumerates all ESXi hosts changes the root password and enables SSH access Finally it uploads an arbitrary binary to the tmp directory and executes it across all identified hosts It makes the binary executable with chmod x sets UserexecInstalledOnly to 0 via the esxiRights command thereby allowing execution of unsigned binaries and then executes the payload on all hosts using the ProcessESXis functionppTo broaden the scope of file access and increase the impact when ransomware is executed the fsutil command is also run This command performs operations on symbolic links R2R means Remote to Remote a network share to another network share and R2L means Remote to Local a network share to local By executing these two commands and enabling each respectively attackers can achieve different effects for example in R2R a symbolic link on server A can be used to reference files on another server B in R2L if a shared symbolic link on server A points to a file on the host an attacker can access the hosts local file through that link These commands may be executed using PsExecppThe ransomware changes the Volume Shadow Copy Service VSS startup type to Manual and delete all shadow copies volume snapshots maintained by VSSppThe ransom note shown in Figure 23 is created in each encrypted folder The note primarily states that data has been compromised includes a link to a leak site on a onion address that requires a Tor connection and provides a URL specified by IP address that can be accessed without Tor for victims who do not have a Tor environment It also lists the types of data included and warnings about the consequences of ignoring the demandsppIn addition the Credential section states that a unique company ID is assigned as a file extension for each victim company and that by using the domain URL shown in the note one can access the site with that unique login ID and passwordppThe config for Qilin Ransomware includes fileencryption settings service and process stop lists and a list of entityspecific accounts There are eight items four of which are as followsppWe also observed two lists named whitesymlinkdirs and whitesymlinksubdirs In the Qilin ransomware sample we analyzed whitesymlinkdirs is empty and only thing whitesymlinksubdirs contains is the entry ClusterStorageppClusterStorage refers to the directory name used by Windows Server Failover Cluster Cluster Shared Volumes or CSV CSVs commonly host highly critical files for organizations such as HyperV virtual machines VHDX and databases This shows the ransomware is intended to increase impact by targeting not only ordinary user directories but also virtualization and cluster infrastructure directly as hostages Therefore files in subdirectories of ClusterStorage are explicitly listed as targets to be encrypted The fact that whitesymlinkdirs is empty is likely intended to avoid following symbolic links that could cause infinite loops or doubleencryptionppprocessblacklist and winservicesblacklist specify processes and services to terminate including those related to databases backups security and remote management Notably as shown in Figure 24 this config also had victimenvironmentspecific domain username and password hardcoded This indicates that the attackers preloaded reconnaissance information into the ransomware to facilitate privilege escalation and related activitiesppextensionblacklistppextensionwhitelistppfilenameblacklistppdirectoryblacklistppwhitesymlinksubdirsppprocessblacklistppwinservicesblacklistppAccountsppWhen running it creates a QLOG folder in TEMP and multiple ThreadIdNumberLOG files They allow the attacker to inspect detailed logs of the encryption processppThe ransomware creates a JPG image under TEMP to be used as the wallpaper and modifies the following registry valuesppAfter ransomware execution the attacker achieves persistence through both task scheduling and registry modification First a scheduled task is created with the name TVInstallRestore configured to run at logon using the SC ONLOGON argument To disguise itself as a legitimate tool the ransomware file is named TeamViewerHostSetup encryptor2exe leveraging the TeamViewer brand which had been installed as an RMM tool prior to compromise Second to ensure the ransomware executes upon every reboot its executable is added as a value under the RUN registry keyppThis combination of scheduled tasks and registry entries allows the ransomware to maintain persistence across system restarts and user logonsppCisco Secure Endpoint formerly AMP for Endpoints is ideally suited to prevent the execution of the malware detailed in this post Try Secure Endpoint for free here ppCisco Secure Email formerly Cisco Email Security can block malicious emails sent by threat actors as part of their campaign You can try Secure Email for free here ppCisco Secure Firewall formerly NextGeneration Firewall and Firepower NGFW appliances such as Threat Defense Virtual Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat ppCisco Secure NetworkCloud Analytics StealthwatchStealthwatch Cloud analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device ppCisco Secure Malware Analytics Threat Grid identifies malicious binaries and builds protection into all Cisco Secure products ppCisco Secure Access is a modern clouddelivered Security Service Edge SSE built on Zero Trust principles  Secure Access provides seamless transparent and secure access to the internet cloud services or private application no matter where your users work　Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access ppUmbrella Ciscos secure internet gateway SIG blocks users from connecting to malicious domains IPs and URLs whether users are on or off the corporate network  ppCisco Secure Web Appliance formerly Web Security Appliance automatically blocks potentially dangerous sites and tests suspicious sites before users access them  ppAdditional protections with context to your specific environment and threat data are available from the Firewall Management Center ppCisco Duo provides multifactor authentication for users to ensure only those authorized are accessing your network  ppOpensource Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on SnortorgppSnort SIDs for the threats are 65446ppClamAV detections are also available for this threatppThe IOCs can also be found in our GitHub repository hereppCisco Talos has uncovered a new attack linked to Famous Chollima a threat group aligned with North Korea DPRKppTalos discovered that a new PlugX variants features overlap with both the RainyDay and Turian backdoorsppA Russian statesponsored group Static Tundra is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide targeting key sectors for intelligence gatheringpp


Cisco Systems Inc andor its affiliates All rights
reserved View our
Privacy Policy
p