Menu Close

[ Intelligence ] (TLP: CLEAR) Trigona Ransomware Targets Vulnerable and Poorly Managed MS-SQL Servers

TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/

Summary: AhnLab Security Emergency Response Center (ASEC) published a report (weblink below) on April 17, 2023, detailing a malicious campaign deploying Trigona ransomware to vulnerable and poorly managed MS-SQL servers. The vulnerable MS-SQL servers are usually exposed to external connections and contain plain account credentials, which adversaries may abuse to perform other malicious activities, including deploying malware.

According to ASEC’s report, the infection starts with installing the Common Language Runtime (CLR) shell malware. The CLR shell malware used in the campaign has no command execution routine. Still, it exploits a privilege escalation vulnerability (MS16-032) and can steal the victim’s sensitive data and even user account configuration.

Once the adversary exploits the MS16-032 vulnerability with the CLR shell malware and elevated privileges within the targeted MS-SQL servers, the Trigona ransomware is deployed and executed. The actual Trigona ransomware (svchost[.]exe) is deployed via its dropper malware (svcservice[.]exe) and operates as a service, as explained by ASEC.

ASEC Report: hxxps://asec.ahnlab[.]com/en/51343/

NYSIC CAU Analyst Note:  The Trigona ransomware also creates a registry run key to gain persistence, deletes shadow copies, and disables system recovery before proceeding with its encryption process. A ransom note is also dropped in each encrypted folder, informing the victims to install a Tor browser and contact the adversary’s address to recover their encrypted and stolen files.

Additionally, the New York City Police Department compiled a list of IOCs to aid in threat mitigation and network defense.  For your convenience a copy of the IOCs list which allows for copying and pasting can be found in the attached document by clicking on the yellow push pin.

This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – County Information Contacts

For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.

TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/