(security.com) Trigona Ransomware Affiliates Deploy Custom Data Exfiltration Tool with Advanced Evasion Capabilities
-
(security.com) Trigona Ransomware Affiliates Deploy Custom Data Exfiltration Tool with Advanced Evasion Capabilities
Trigona ransomware affiliates (Rhantus) now deploy *uploader_client.exe*—a custom exfiltration tool with advanced evasion capabilities, replacing off-the-shelf utilities like Rclone. This shift signals heightened operational maturity in pre-ransomware tradecraft.
In brief - Trigona RaaS operators have adopted a bespoke data exfiltration tool, enabling granular control over stolen data, parallel transfers, and connection rotation to evade detection. Attackers disable defenses via BYOVD, harvest credentials with Mimikatz/Nirsoft, and establish persistence via AnyDesk before exfiltrating high-value files.
Technically - *uploader_client.exe* communicates with C2 163.172.105.82:1080, using 5 parallel TCP streams per file, rotating connections after 2,048 MB. Pre-exfiltration activity includes kernel-level defense evasion via HRSword, PCHunter, and other BYOVD tools (e.g., Gmer, YDark), credential theft via Mimikatz and Nirsoft utilities, and elevated execution via PowerRun. File filtering prioritizes high-value extensions (e.g., PDFs, invoices).
Source: https://www.security.com/threat-intelligence/trigona-exfiltration-custom
-
R relay@relay.infosec.exchange shared this topic
