Recently the Trigona ransomware attack uses a custom, command-line tool to steal data from vulnerable sites faster and more efficiently.
This application was played in an attack in March caused by a gang, possibly in an attempt to avoid publicly available tools, such as Rclone and MegaSync, which often cause security solutions.
Researchers at cybersecurity firm Symantec believe that the switch to a custom tool may indicate that the attacker is “investing time and energy into the malware in an effort to maintain a low profile during the critical phase of their attack.”
In today’s report, researchers say the tool is named “uploader_client.exe” and connects to a hard-coded server address. Its functionality and evasion capabilities include:
- Support for five simultaneous connections per file for fast data extraction with parallel uploads.
- Rotating TCP connections after 2GB traffic to avoid monitoring.
- File type selective extraction option, excluding large, low-cost media files.
- The use of authentication keys to limit access to stolen data by outsiders.
In one case, a hacking tool was used to steal high-value documents such as invoices and PDFs from network drives.
Trigona ransomware was launched in October 2022 as a two-fold extortion project that required its victims to pay ransoms in the Monero cryptocurrency.
Although Ukrainian cyber activists disrupted Trigona’s operations in October 2023, hacking its servers and stealing internal data such as source code and database records, Symantec’s report suggests that the threat actors are once again active.
According to Symantec’s view of the latest Trigona attack, the threat actor installs the Huorong Network Security Suite tool HRSword as a kernel driver service.
This section is followed by the provision of additional tools that can disable security-related products (eg, PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd).
“Many of these kernel drivers are vulnerable to breaking security processes at the end,” Symantec said.
Some utilities are made with PowerRun, a product that can run applications, executables, and scripts with elevated permissions, thus bypassing user mode protection.
AnyDesk has been used for direct remote access to compromised systems, while Mimikatz and Nirsoft utilities are designed for identity theft and password recovery operations.
Symantec has listed the indicators of compromise (IoCs) associated with the latest Trigona activity under its report to aid in the timely detection and prevention of these attacks.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
