Bee-Ware of Trigona, An Emerging Ransomware Strain

MITRE Techniques

• [T1072] Software Deployment Tools – Splashtop is used to move laterally and transfer malware between compromised hosts in the victim’s environment. “Trigona operators use Splashtop to move laterally and transfer malware between compromised hosts in the victim’s environment.”
• [T1546.008] Accessibility Features – DC4.exe creates a “Sticky Keys backdoor” that allows for creation of a command prompt with NT AUTHORITYSYSTEM privileges. “DC4.exe… creates a batch script that, when executed, creates a “Sticky Keys backdoor” that allows for the creation of a command prompt with NT AUTHORITYSYSTEM privileges.”
• [T1136] Create Account – Newuser.bat creates a new user with the username fredla and the password Qw123456. “Newuser.bat creates a new user with the name fredla and the password Qw123456.”
• [T1098] Account Manipulation – Trigona operators compromise administrator accounts and use them to conduct malicious activities, such as executing NetScan. “compromise administrator accounts and use them to conduct malicious activities, such as executing NetScan.”
• [T1027] Obfuscated Files or Information – DC2.exe and DC4.exe are UPX-packed to evade static detection. “use UPX to pack DC2.exe and DC4.exe to avoid static signature detection.”
• [T1112] Modify Registry – DC4.exe modifies the Windows registry to allow remote desktop connections. “modifies the Windows registry to allow remote desktop connections.”
• [T1562.004] Disable/Modify System Firewall – DC4.exe opens an RDP port in the firewall to permit remote access. “opens up an Remote Desktop Protocol (RDP) port in the firewall with DC4.exe.”
• [T1070.001] Clear Windows Event Logs – Turnoff.bat is used to clear event logs via wevtutil cl. “Turnoff.bat to clear event logs via wevtutil cl.”
• [T1070.004] File Deletion – Attackers delete files such as mim.exe, mim32.exe, zam.exe and zam.bat to cover tracks. “delete files such as mim.exe, mim32.exe, zam.exe and zam.bat to cover their tracks.”
• [T1036.004] Masquerade Task or Service – The ransomware binary svhost.exe is named to mimic svchost.exe. “ransomware binary was named svhost.exe to mimic svchost.exe.”
• [T1555] Credentials from Password Stores – Mimikatz is used to dump credentials. “Credentials from Password Stores [T1555]… Mimikatz to dump passwords.”
• [T1003] OS Credential Dumping – Mimikatz dumps passwords from OS credential stores. “OS Credential Dumping [T1003], LSASS Memory [T1003.001].”
• [T1003.001] LSASS Memory – Mimikatz dumps credentials from LSASS memory. “LSASS Memory [T1003.001]… Mimikatz.”
• [T1021.001] Remote Desktop Protocol – RDP is used to move laterally within targets. “Remote Desktop Protocol” in the TTPs.
• [T1570] Lateral Tool Transfer – Splashtop is used to transfer tools between hosts. “Lateral Tool Transfer [T1570]… Splashtop to transfer malicious tools.”
• [T1105] Ingress Tool Transfer – Splashtop transfers netscan.exe/netscan.xml/netscan.lic/newuser.bat/start.bat/turnoff.bat. “
• [T1219] Remote Access Software – Splashtop is installed and executed for remote access. “Remote Access Software [T1219]… Splashtop.”
• [T1046] Network Service Discovery – NetScan enumerates hosts and services in the victim’s domain. “Network Service Discovery [T1046]… NetScan to enumerate hosts.”
• [T1069] Permission Groups Discovery – NetScan enumerates Administrators group membership. “Permission Groups Discovery [T1069]… Administrators group.”
• [T1016] System Network Configuration Discovery – Indirect reference to network discovery tools identifying network configuration. “System Network Configuration Discovery [T1016]…”
• [T1486] Data Encrypted for Impact – Trigona encrypts files with ._locked extension. “Data Encrypted for Impact [T1486]… _locked.”
• [T1489] Service Stop – Turnoff.bat stops services related to remote tools and virtualization platforms. “Service Stop [T1489]… stop services.”
• [T1490] Inhibit System Recovery – Turnoff.bat deletes Volume Shadow Copies. “Inhibit System Recovery [T1490]… Delete Volume Shadow Copies.”