Trigona Ransomware Attacks Use Custom Exfiltration Tool to Steal Data

TRIGONA RANSOMWARE ATTACKS USE CUSTOM EXFILTRATION TOOL TO STEAL DATA

1. Overview

• Recent activity around the Trigona ransomware family shows a shift toward a purpose-built data exfiltration utility, designed to move stolen information quickly and under the radar.
• March campaigns were traced to a gang affiliate, with indications that attackers intentionally avoided publicly available exfiltration tools to reduce detection risk.
• Security researchers view the move to proprietary tooling as a sign that operators are investing time and effort into custom malware to maintain a lower profile during the critical stages of an intrusion.

1. The Custom Exfiltration Tool: uploader_client.exe

• The exfiltration utility, named uploader_client.exe, connects to a hardcoded server address, suggesting a tightly controlled command-and-control workflow.
• Core capabilities include:
• Parallel data exfiltration using up to five simultaneous connections per file to accelerate data theft.
• Built-in mechanism to rotate TCP connections after about 2 GB of traffic, a tactic intended to dodge traffic monitoring and pattern-based detections.
• Selective exfiltration options that allow attackers to skip large, high-volume media files in favor of more valuable, smaller documents.
• An authentication key to limit access to the stolen data and reduce exposure to unauthorized parties.
• In at least one observed incident, the tool targeted high-value documents such as invoices stored on network shares and drives.

1. Campaign Timeline and Modus Operandi

• Trigona ransomware emerged in October 2022 as a double-extortion operation, demanding payment in Monero to unlock data and avoid public disclosure.
• Ukrainian cyber activists reportedly disrupted the operation in October 2023 by taking down the gang’s servers and exfiltrating internal data like source code and databases.
• Despite this disruption, Symantec’s analysis indicates that the threat actors resumed activity and continued to deploy Trigona-influenced operations.
• The latest activity shows attackers deploying a kernel-mode component to facilitate further intrusion and control over compromised hosts.

1. Additional Tools and Techniques Observed

• After initial deployment, operators install the Huorong Network Security Suite’s tool HRSword as a kernel driver service, establishing a deep foothold in targeted environments.
• The attacker set includes tools designed to disable security products (such as PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd), leveraging exploited kernel drivers to terminate endpoint protection processes.
• Some utilities were executed via PowerRun, enabling elevated execution of apps, executables, and scripts to bypass standard user-mode protections.
• For remote access and credential theft, attackers used AnyDesk for direct remote control, and credential-stealing utilities like Mimikatz and Nirsoft to harvest passwords and related data.

1. Indicators of Compromise and Detection Aids

• Symantec’s recent report enumerates IoCs associated with the latest Trigona activity, providing guidance intended to support timely detection and blocking of these attacks.
• The IoCs cover multiple stages of the intrusion, from initial access and privilege escalation to data exfiltration and post-exploitation tools.
• Security teams are advised to review tools deployed during these campaigns in order to correlate observed activities with known Trigona indicators.

1. Historical Context and Aftermath

• Trigona’s October 2022 launch as a double-extortion operation positioned it among prominent ransomware families using both data encryption and public disclosures to pressure victims.
• The 2023 disruption by Ukrainian actors highlighted the transnational and collaborative nature of attacker and defender dynamics in this space.
• The resurgence of operations and the adoption of a custom exfiltration tool suggest a strategic pivot toward stealthier data theft and evasion of standard exfiltration detection mechanisms.

1. Observations on Infrastructure and Extensibility

• The reliance on a hardcoded exfiltration endpoint implies a tightly controlled staging environment and limited exposure to generic exfiltration channels.
• The combination of kernel-level components, anti-detection utilities, and remote-access capabilities points to a modular toolkit designed to adapt to varied enterprise environments.
• The attacker ecosystem appears to favor bespoke components that can be updated or swapped as needed, reducing reliance on publicly available tools that are more likely to be flagged by security products.

1. Summary of Key Takeaways

• Trigona attacks are evolving toward the use of proprietary exfiltration tooling to accelerate and obscure data theft.
• The uploader_client.exe tool showcases capabilities designed to maximize throughput while evading monitoring, including parallel uploads, traffic rotation, and selective data targeting.
• The operation blends traditional ransomware tactics with aggressive post-exploitation and credential theft activities, reinforced by kernel-level components and defense-evasion tools.
• Historical disruptions did occur, but current activity indicates continued interest in carrying out large-scale, data-centric intrusions with evolving techniques and infrastructure.