Trigona ransomware campaigns target poorly managed MS-SQL servers, leveraging a CLR SqlShell dropper and service-based execution to escalate privileges and encrypt data. The operation includes credential abuse, registry and Run key persistence, and a ransom note with a Tor onion contact. #Trigona #CLRSqlShell #RemcosRAT #LemonDuck #Mallox #GlobeImposter #MSSQL
Keypoints
- Trigonа-associated activity targets exposed MS-SQL servers with simple credentials to enable initial access.
- The attack chain often involves CLR SqlShell first, followed by the Trigona ransomware deployment.
- CLR SqlShell functions include privilege escalation (MS16-032), information gathering, and user account configuration, with methods to download additional payloads.
- xp_cmdshell is not the only OS command method; CLR extended procedures can be abused to run commands.
- svcservice.exe acts as a service-based dropper that launches Trigona (svchost.exe) and svchost.bat, which registers Run key persistence and then deletes shadow copies to disable recovery.
- Trigona encrypts files without regard to extension (suffixed with ._locked) and distributes a ransom note with a Tor onion contact.
MITRE Techniques
- [T1547.001] Registry Run Keys/Startup Folder – svchost.bat first registers the Trigona binary to the Run key to ensure that it can run even after a reboot. “svchost.bat first registers the Trigona binary to the Run key to ensure that it can run even after a reboot.”
- [T1543.003] Create or Modify System Process – svcservice.exe is a dropper malware that operates as a service. When executed as a service, “it creates and executes the actual Trigona ransomware, svchost.exe, in the same path.”
- [T1490] Inhibit System Recovery – The batch file “svchost.bat” deletes volume shadow copies and disables the system recovery feature, making it impossible to recover from the ransomware infection. “
- [T1112] Modify Registry – The registry is edited and the system is rebooted to change the SQL service account to LocalSystem. “
- [T1068] Exploitation for Privilege Escalation – The routine used in the MS16-032 vulnerability exploitation is almost the same as the disclosed code, and it uses its escalated privilege to execute the binary included inside of it. “
- [T1059.003] Windows Command Shell – There are many methods to execute OS commands besides the xp_cmdshell command, and one of them includes the use of the CLR extended procedure. “
- [T1486] Data Encrypted for Impact – Trigona encrypts files and appends the “._locked” extension; ransom note instructs contact. “Files are encrypted with a secure AES algorithm and are suffixed with the “._locked” extension.”
- [T1105] Ingress Tool Transfer – The CLR SqlShell ExecCommand() method is used when downloading additional payloads. “ExecCommand() method of this CLR SqlShell, evilclr.dll, is used when downloading additional payloads.”
- [T1021] Lateral Movement – LemonDuck uses internal network propagation after logging into the sa account, illustrating lateral movement within MS-SQL environments. “LemonDuck also targets MS-SQL servers for internal network propagation and malicious behavior is performed after logging into the sa account.”
Indicators of Compromise
- [MD5] Trigona Dropper (svcservice.exe) – 1cece45e368656d322b68467ad1b8c02
- [MD5] Trigona Ransomware (svchost.exe) – 530967fb3b7d9427552e4ac181a37b9a
- [MD5] Batch Runner (svchost.bat) – 1e71a0bb69803a2ca902397e08269302
- [MD5] CLR SqlShell – 46b639d59fea86c21e5c4b05b3e29617
- [MD5] nt.exe – 5db23a2c723cbceabec8d5e545302dc4
- [URL] Onion ransom contact – hxxp://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad[.]onion/
- [File] Ransom note filename – how_to_decrypt.hta
Read more: https://asec.ahnlab.com/en/51343/