New Trigona Ransomware Employs Unusual Techniques to Evade Detection

A relatively new strain of ransomware, using uncommon techniques and so far flying under the radar, has been hitting the manufacturing, finance, high tech and other industries in recent months, according to Palo Alto Networks' Unit 42 research group.

Unit 42 identified 15 potential victims of Trigona ransomware attacks in December, with two more ransom notes sent to organizations in January, and two more sent in February, Unit 42 said.

Trigona ransomware has been linked to compromises in several industries, with attacks targeting companies in the U.S., France, Italy, Germany, Australia, and New Zealand, according to the research.

"Trigona is a newer strain of ransomware that, to date, has had minimal coverage by security news articles," wrote the researchers at Palo Alto Networks, an ExtraHop integration partner. "This lack of security community awareness allows Trigona to discreetly attack victims while other higher-profile ransomware operations dominate the news headlines."

How Trigona Works

Criminals distributing Trigona are deploying an uncommon technique, by using a password-protected executable to hide malicious software. By shining a light on this activity, Unit 42 said it hopes to help organizations better defend themselves.

Unit 42 has observed malicious activity associated with Trigona coming from a compromised Windows 2003 server. Attackers then use NetScan for internal reconnaissance on a compromised network, followed by SplashTop, a legitimate remote access and management tool that they use to transfer malware into the target environment.

During the attack, the attackers upload a file, DC2.exe, containing a password-protected version of Mimikatz, a tool used to extract sensitive information such as passwords and authentication credentials from Windows. With password protection, it can be difficult for defenders to understand the program's functionality, Unit 42 said.

Threat actors can use Mimikatz to steal credentials and manipulate the stolen credentials by changing passwords, creating new user accounts, and adding users to groups. Attackers then can inject the manipulated credentials into other processes, allowing them to impersonate legitimate users and gain access to restricted resources.

Trigona's ransom note is dropped to the compromised system under the name, "how_to_decrypt.hta." The HTML document shows victims how to decrypt three files for free, but warns them that using additional recovery software will damage their data. The decryption ransom price increases every hour, the document warns.

Unit 42 notes the Trigona attackers use several tactics, techniques and procedures (TTPs) covered in the MITRE ATT&CKⓇ Framework for Enterprise. The ExtraHop Reveal(x) network detection and response solution alerts to and defends against several of these TTPs, including:

• TA0002: Execution
  • T10072: software deployment tools
• TA0005: Defense evasion
  • T1070.004: File deletion
• TA0007: Discovery
  • T1046: Network service scanning
  • T1069: Permission groups discovery
• TA0011: Command and control
  • T1219: Remote access tools
• TA0040: Impact
  • T1486: Data encrypted

When Trigona was first observed in late 2022, the attackers didn't appear to be using a leak site to release encrypted data if victims didn't pay. However, Unit 42 notes that a researcher identified a leak site attributed to Trigona hosted at IP address 45.227.253[.]99.

Using that IP address, Unit 42 researchers identified three other IP addresses related to Trigona's infrastructure:

• 45.227.253[.]106
• 45.227.253[.]98
• 45.227.253[.]107

"Due to the stream of victims identified by the Unit 42 team and Trigona's currently developing leak site, the operator and/or affiliates behind the ransomware likely will continue (and possibly even ramp up) its malicious activity," the researchers wrote.