By rssfeeds-admin Instead, these attackers deployed a custom-developed exfiltration tool to steal victim data. This strategic pivot highlights a growing trend where cybercriminals invest in proprietary malware to bypass security solutions that easily flag widely known public tools.
First emerging as a Ransomware-as-a-Service (RaaS) operation in late 2022, Trigona has matured significantly. Historically, RaaS affiliates favor standard toolkits for quick deployment. However, this shift suggests an attacker with greater technical maturity.
Technical Capabilities and Evasion
The custom uploader demonstrates advanced capabilities, offering features specifically designed for speed, efficiency, and stealth.
Rather than unthinkingly grabbing all files, the tool allows operators to selectively target high-value assets. In one observed case, attackers specifically hunted for folders containing invoices and sensitive PDF documents stored on networked drives.
Key performance and evasion features include:
- Parallel streams maximize data transfer speed by defaulting to 5 concurrent connections per file to saturate available bandwidth.
- Connection rotation evades network traffic monitoring by automatically rotating TCP connections after sending 2,048 MB of data.
- Granular filtering uses the –exclude-ext flag to ignore bulky file types like .mp3 or .mp4, ensuring only high-priority documents are stolen.
- Integrated authentication uses a shared key to verify the client to the server, securing the data repository from unauthorized access.
They defeat signature-based detection and heuristic monitors that look for common exfiltration behaviors, giving attackers a critical advantage until security researchers discover and analyze the new malware.
Before exfiltrating any data, Trigona affiliates take aggressive steps to neutralize endpoint protection. The attackers deploy the Huorong Network Security Suite tool, HRSword, as a kernel driver service.
Operating at the kernel level allows these threat actors to bypass standard user-mode protections and terminate security software effectively.
To support this defense evasion, the attackers use elevated privileges via PowerRun to execute a variety of specialized tools. They also rely on AnyDesk to gain remote access to infected machines.
The broader security-disabling toolkit leverages vulnerable kernel drivers to terminate endpoint protection processes. This toolkit includes:
- PCHunter and Gmer manipulate system processes and bypass underlying security hooks.
- YDark and WKTools detect and disable hidden security agents.
- DumpGuard and StpProcessMonitorByovd further undermine defensive monitors by providing kernel-level access.
| Indicator (SHA-256 Hash) | Associated Tool / File |
|---|---|
0b679027e38f3d9ca554085be0e762c651e83e6414401b56635cdf3765ca1dac | AnyDesk |
0ce7badb26174b6129fb13d7e255e582f84d8aaedeabcd02c80d84a609144068 | PCHunter |
1433aa8210b287b8d463d958fc9ceeb913644f550919cfb2c62370773799e5a5 | Vulnerable driver |
To defend against these mature threats, organizations must monitor for unauthorized remote access tools and unusual kernel driver installations.
For the latest protection updates and detailed mitigation strategies, security teams should consult the authorized Symantec Protection Bulletin.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Hackers Deploy New Exfiltration Tool In Ransomware Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.