Trigona ransomware deploys custom tool to steal data
▼ Summary
– Trigona ransomware attacks now use a custom tool called “uploader_client.exe” for faster, more efficient data theft, avoiding public tools like Rclone and MegaSync.
– The tool supports five simultaneous connections per file, rotates TCP connections after 2GB of traffic, and uses an authentication key to restrict outsider access.
– In one incident, the tool stole high-value documents like invoices and PDFs from network drives.
– Attackers install the HRSword kernel driver and deploy utilities (e.g., PCHunter, Gmer) to disable security products via vulnerable kernel drivers.
– Tools like PowerRun, AnyDesk, Mimikatz, and Nirsoft are used for privilege escalation, remote access, and credential theft.
Recent Trigona ransomware attacks have introduced a custom command-line data theft tool designed to accelerate and streamline information exfiltration while sidestepping standard security defenses. This specialized utility surfaced during incidents in March linked to a gang affiliate, marking a deliberate shift away from widely used public tools like Rclone and MegaSync, which often trigger alarms in security software.
Analysts at Symantec interpret this move as a strategic investment in proprietary malware, aimed at keeping the attacker’s footprint minimal during a crucial stage of the operation. The tool, identified as “uploader_client.exe,” connects to a fixed server address and boasts several performance and stealth features. It enables up to five simultaneous connections per file for faster parallel uploads, rotates TCP connections after every 2GB of traffic to evade detection, and supports selective file exfiltration by skipping large, low-value media files. An authentication key also restricts access to stolen data, preventing outsiders from viewing it.
In one documented incident, the tool successfully targeted high-value documents such as invoices and PDFs stored on network drives. Trigona ransomware first appeared in October 2022 as a double-extortion operation, demanding ransoms in Monero cryptocurrency. Although Ukrainian cyber activists disrupted the group in October 2023 by hacking its servers and stealing internal data like source code and database records, Symantec’s findings indicate the threat actors have since resumed operations.
Recent Trigona attacks follow a distinct pattern. The threat actor installs the Huorong Network Security Suite tool HRSword as a kernel driver service. This is followed by deploying additional utilities that disable security-related products, including PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd. Many of these tools rely on vulnerable kernel drivers to terminate endpoint protection processes. Some are executed using PowerRun, a product that grants elevated privileges to bypass user-mode protections. For direct remote access, the attackers use AnyDesk, while Mimikatz and Nirsoft utilities facilitate credential theft and password recovery.
Symantec has published a list of indicators of compromise (IoCs) tied to the latest Trigona activity at the end of its report, enabling organizations to detect and block these attacks more effectively.
(Source: BleepingComputer)