Trigona ransomware has resumed operations after a 2023 disruption, now deploying a custom data exfiltration tool called 'uploader_client.exe' in recent attacks. The tool supports five simultaneous connections per file, rotates TCP connections after 2GB of traffic to evade monitoring, and uses an authentication key to restrict access to stolen data. Attackers also use HRSword as a kernel driver service, multiple tools to disable endpoint protection via vulnerable kernel drivers, AnyDesk for remote access, and Mimikatz for credential theft. Symantec attributes the shift to custom tooling as an effort to maintain a lower profile and avoid triggering security solutions that detect common tools like Rclone and MegaSync.
Table of contents
Related Articles:Sort: