Ethical Hacking News
Trigona Ransomware Attacks are utilizing custom exfiltration tools designed to steal sensitive data from compromised environments, raising concerns about the sophistication of modern ransomware attacks. According to a recent report by Symantec, attackers are using proprietary malware utilities such as "uploader_client.exe" to evade traditional security solutions and efficiently extract valuable information.
Trigona ransomware attacks have increased using custom exfiltration tools to steal sensitive data. The attacks use a proprietary malware utility to evade traditional security solutions and efficiently extract valuable information. A specific tool called "uploader_client.exe" is used in these attacks, which connects to a hardcoded server address and boasts advanced capabilities for faster data exfiltration. The attackers employ a rotation mechanism for TCP connections after 2GB of traffic to evade monitoring tools. The malware enables selective file type exfiltration, excluding large, low-value media files. An authentication key is used to restrict access to stolen data, adding another layer of complexity and security. Organizations should prioritize proactive steps such as keeping systems up-to-date with the latest patches, implementing robust endpoint protection solutions, and conducting regular vulnerability assessments.
In recent weeks, cybersecurity researchers have observed a significant increase in Trigona ransomware attacks that are utilizing custom exfiltration tools to steal sensitive data from compromised environments. These attacks, attributed to a gang affiliate, are employing a proprietary malware utility designed to evade traditional security solutions and ensure the efficient extraction of valuable information.
According to a report by Symantec, researchers have identified a specific tool used in these attacks, dubbed "uploader_client.exe." This tool connects to a hardcoded server address and boasts advanced capabilities for faster data exfiltration. The exfiltration process involves multiple simultaneous connections per file, allowing attackers to upload files more quickly while reducing the likelihood of detection by security systems.
The attackers have also employed a rotation mechanism for TCP connections after 2GB of traffic, designed to evade monitoring tools. Furthermore, this malware enables selective file type exfiltration, excluding large, low-value media files. To restrict access to stolen data, an authentication key is used, adding another layer of complexity and security.
In one notable incident, the exfiltration tool was utilized to steal high-value documents such as invoices and PDFs located on network drives. Trigona ransomware first emerged in October 2022, employing a double-extortion operation that demanded payment in the Monero cryptocurrency. Although Ukrainian cyber activists disrupted the Trigona operation in October 2023 by hacking its servers and stealing internal data, including source code and database records, Symantec's report suggests that the threat actors resumed operations.
In recent attacks attributed to this gang affiliate, the attackers install the Huorong Network Security Suite tool HRSword as a kernel driver service. This phase is followed by deploying additional tools designed to disable security-related products. Some of these leveraged vulnerable kernel drivers to terminate endpoint protection processes. The attackers also utilized AnyDesk for direct remote access on compromised systems and tools like Mimikatz and Nirsoft utilities for credential theft and password recovery operations.
Symantec has provided indicators of compromise (IoCs) associated with the latest Trigona activity, which can help in the timely detection and blocking of these attacks. As the threat landscape continues to evolve, it is essential for organizations to remain vigilant and implement robust security measures to safeguard against such custom exfiltration tools.
To mitigate the risk posed by Trigona ransomware attacks utilizing custom exfiltration tools, organizations should prioritize proactive steps such as keeping their systems up-to-date with the latest patches, implementing robust endpoint protection solutions, and conducting regular vulnerability assessments. Furthermore, it is crucial for security teams to stay informed about emerging threats like this one, monitoring for signs of suspicious activity, and developing incident response plans to address these types of attacks efficiently.
In conclusion, Trigona ransomware's shift towards custom exfiltration tools marks a significant escalation in the sophistication and complexity of their tactics. As threat actors continue to adapt and innovate, it is essential for organizations to stay ahead by enhancing their security posture and remaining vigilant against emerging threats like this one.
Related Information:
https://www.ethicalhackingnews.com/articles/Trigona-Ransomware-Attacks-A-Shift-to-Custom-Exfiltration-Tools-Raises-Concerns-ehn.shtml
https://www.bleepingcomputer.com/news/security/trigona-ransomware-attacks-use-custom-exfiltration-tool-to-steal-data/
https://www.security.com/threat-intelligence/trigona-exfiltration-custom
https://www.sentinelone.com/anthology/trigona/
Published: Thu Apr 23 16:41:50 2026 by llama3.2 3B Q4_K_M
