Trigona ransomware attacks use custom exfiltration tool to steal data

Source: Bleeping Computer

Overview

Recently observed Trigona ransomware attacks are using a custom, command‑line tool to steal data from compromised environments faster and more efficiently. The utility was employed in attacks in March that were attributed to a gang affiliate, likely in an effort to avoid publicly available tools such as Rclone and MegaSync, which typically trigger security solutions.

Researchers at Symantec believe that the shift to a custom tool may indicate that the attacker is “investing time and effort in proprietary malware in a bid to maintain a lower profile during a critical phase of their attacks.”

Trigona ransomware was launched in October 2022 as a double‑extortion operation that demanded ransoms in Monero. Although Ukrainian cyber activists disrupted the Trigona operation in October 2023—hacking its servers and stealing internal data such as source code and database records—Symantec’s report suggests that the threat actors have resumed operations.

Custom Exfiltration Tool

The tool, named uploader_client.exe, connects to a hard‑coded server address and includes several performance and evasion capabilities:

• Support for five simultaneous connections per file for faster data exfiltration via parallel uploads.
• Rotation of TCP connections after 2 GB of traffic to evade monitoring.
• Option for selective file‑type exfiltration, excluding large, low‑value media files.
• Use of an authentication key to restrict access to stolen data by outsiders.

In one incident, the exfiltration tool was used to steal high‑value documents such as invoices and PDFs on network drives.

Threat Actor Tactics

Symantec’s observations of recent Trigona attacks reveal a multi‑stage approach:

1. Installation of Huorong Network Security Suite (HRSword) as a kernel‑driver service.

2. Deployment of additional tools that can disable security‑related products, including:

   • PCHunter
   • Gmer
   • YDark
   • WKTools
   • DumpGuard
   • StpProcessMonitorByovd

   Many of these leverage vulnerable kernel drivers to terminate endpoint protection processes. (Symantec source)

3. Privilege escalation using PowerRun to launch applications, executables, and scripts with elevated privileges, bypassing user‑mode protections.

4. Remote access via AnyDesk for direct control of breached systems.

5. Credential theft using Mimikatz and Nirsoft utilities for password recovery operations.

Indicators of Compromise

Symantec has listed indicators of compromise (IoCs) associated with the latest Trigona activity in the bottom section of its report. Security teams should reference those IoCs to enable timely detection and blocking of these attacks.