Researchers observed Trigona ransomware operators using a custom command-line exfiltration tool named uploader_client.exe to steal data faster and evade detection. The tool offers parallel uploads, TCP rotation, selective file-type exfiltration, and an authentication key, and Symantec links its use to a broader campaign that leverages kernel drivers, privilege escalation, remote access, and credential theft. #Trigona #uploader_client
Keypoints
- A custom exfiltration utility, uploader_client.exe, was used to speed data theft and avoid detection.
- The tool supports five parallel connections per file, rotates TCP connections after 2GB, and can exclude large media files.
- Attackers installed HRSword as a kernel driver and leveraged vulnerable drivers to terminate endpoint protection.
- They used PowerRun for elevated execution, AnyDesk for remote access, and utilities like Mimikatz and Nirsoft for credential theft.
- Symantec published indicators of compromise to help detect and block the resumed Trigona activity.