Recently observed Trigona ransomware attacks are using a custom, command-line tool to steal data from compromised environments faster and more efficiently.
The utility was emplayed in attacks in March that were attributed to a gang affiliate, likely in an effort to avoid publicly available tools, such as Rclone and MegaSync, that typically trigger security solutions.
Researchers at cybersecurity company Symantec believe that the shift to a custom tool may indicate that the attacker is “investing time and effort in proprietary malware in a bid to maintain a lower profile during a critical phase of their attacks.”
In a report today, the researchers say that the tool is named “uploader_client.exe” and connects to a hardcoded server address. Its performance and evasion capabilities include:
- Support for five simultaneous connections per file for faster data exfiltration via parallel uploads.
- Rotation of TCP connections after 2GB of traffic to evade monitoring.
- Option for selective file type exfiltration, excluding large, low-value media files.
- Use of an authentication key to restrict access to stolen data by outsiders.
In one incident, the exfiltration tool was used to steal high-value documents such as invoices and PDFs on network drives.
Trigona ransomware was launched in October 2022 as a double-extortion operation that demanded its victims to pay ransoms in the Monero cryptocurrency.
Although Ukrainian cyber activists disrupted the Trigona operation in October 2023, hacking its servers and stealing internal data such as source code and database records, Symantec’s report suggests that the threat actors resumed operations.
According to Symantec’s observations of recent Trigona attacks, threat actor installs the Huorong Network Security Suite tool HRSword as a kernel driver service.
This phase is followed by deploying additional tools that can disable security-related products (e.g., PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd).
“Many of these leveraged vulnerable kernel drivers to terminate endpoint protection processes,” Symantec says.
Some of the utilities were executed with PowerRun, a product that can launch apps, executables, and scripts with elevated privileges, thus bypassing user-mode protections.
AnyDesk was used for direct remote access on the breached systems, while Mimikatz and Nirsoft utilities were executed for credential theft and password recovery operations.
Symantec has listed indicators of compromise (IoCs) associated with the latest Trigona activity at the bottom of its report to help with the timely detection and blocking of these attacks.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
