Bee-Ware of Trigona, An Emerging Ransomware Strain

This post is also available in: 日本語 (Japanese)

Executive Summary

Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised. Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high technology industries.

Unit 42 researchers identified two new Trigona ransom notes in January 2023 and two in February 2023. Trigona’s ransom notes are unique; rather than the usual text file, they are instead presented in an HTML Application with embedded JavaScript containing unique computer IDs (CID) and victim IDs (VID).

Palo Alto Networks helps detect and prevent Trigona ransomware with the following products and services: Cortex XDR, Prisma Cloud and Next-Generation Firewalls (including cloud-delivered security subscriptions such as WildFire) and through incident response.

Trigona Overview

The first mention of Trigona, also the name of a family of stingless bees, comes from a tweet by security researchers in late October 2022. Malware samples were passed to BleepingComputer, which in turn published a blog post on the ransomware on Nov. 29, 2022. Unit 42 consultants also have seen Trigona firsthand in the course of incident response.

Unit 42 researchers have observed Trigona’s threat operator engaging in behavior such as obtaining initial access to a target’s environment, conducting reconnaissance, transferring malware via remote monitoring and management (RMM) software, creating new user accounts and deploying ransomware.

Ransomware Analysis

Ransomware Binary

Unit 42 obtained and analyzed a sample of the Trigona ransomware binary, named svhost.exe. Upon execution, the ransomware binary uses TDCP_rijndael (a Delphi AES library) to encrypt files. The ransomware then appends the ._locked file extension, modifies registry keys to maintain persistence, and drops ransom notes.

The ransomware binary supports the following command line arguments:

The ransomware establishes persistence through the creation of two keys in CurrentVersion\Run. Keys found in CurrentVersion\Run contain references to programs that will execute when a user logs in.

One key executes the ransomware binary whenever the user logs in, ensuring that the encryption process would resume upon reboot. The other key ensures that the ransom note is opened every time the user logs in.

Ransom Note

Trigona’s ransom note is dropped to the system with the name how_to_decrypt.hta. The HTML code in this file contains embedded JavaScript functionality, which displays ransom note details as shown below in Figure 1.

Unit 42 researchers observed that the JavaScript within the ransom note contains the following information:

• A uniquely generated CID and VID
• A link to the negotiation Tor portal
• An email address to contact.

The contact email shown below in Figure 2 is phandaledr@onionmail[.]org. We have also seen farusbig@tutanota[.]com used as the contact email in other Trigona ransom notes.

Victimology

By looking at the victim ID in the embedded JavaScript in the Trigona ransom notes, we were able to identify at least 15 potential victims that were compromised in December 2022. We also identified two new Trigona ransom notes in January 2023 and two in February 2023.

Trigona ransomware has been linked to compromises impacting multiple organizations worldwide, in sectors including manufacturing, finance, construction, agriculture, marketing and high technology. The companies impacted were in the United States, Italy, France, Germany, Australia and New Zealand.

Leak Site Analysis

When Trigona was first observed, there was no evidence of this group using a leak site for double extortion. Their ransom note pointed the victims to their negotiation portal instead. During the investigation of this ransomware family, we observed that a researcher identified a leak site attributed to Trigona hosted on the IP address 45.227.253[.]99.

Unit 42 researchers pivoted on the SSH key for 45.227.253[.]99 and identified three other IP addresses related to Trigona’s infrastructure:

• 45.227.253[.]106
• 45.227.253[.]98
• 45.227.253[.]107

Each IP shares the same SSH key of ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMjqeyIfJyuimtE414TBCxN+lHleN5/P3CNiD4uln5xyHjyw4muLePQj2y3yOJ7GLlTvjrheWlrot3REko99eKQ=.

IPs 45.227.253[.]99 and 45.227.253[.]106 hosted web servers on port 8000, while 45.227.253[.]98 and 45.227.253[.]107 hosted no web services.

We identified that 45.227.253[.]99 hosted a web server between Dec. 6, 2022, and Jan. 27, 2023. On Feb. 13, 2023, 45.227.253[.]106 started hosting a web server with the HTML title Trigona Leaks that was active until March 3, 2023.

As shown in Figure 3, each post contained the following information:

• A description of the company
• The victim’s ZoomInfo page
• A description of the stolen data
• Links to screenshots of example files
• A countdown timer
• A button to bid for the data.

The “@ Place a bid” button contained a mailto link to auction@mailthink[.]net. Mailthink is a service that allows users to create temporary, disposable email addresses.

While the leak site was active, there were four victims:

• Victim 1 has a near-duplicate post on the BlackCat (ALPHV) leak site and a countdown timer of over 300 days. Security researchers at Arete Incident Response recently observed Trigona leveraging BlackCat’s reputation and data leak site to pressure and extort victims. It’s unclear whether Victim 1 was impacted by Trigona.
• Victim 2 has a duplicate post on the BlackCat (ALPHV) leak site and a countdown timer of over 300 days. It’s unclear whether Victim 2 was impacted by Trigona.
• Victim 3 has an associated ransom note on VirusTotal and a countdown timer of just over 30 days. Unit 42 assesses with high confidence that Victim 3 was impacted by Trigona.
• Victim 4 is not mentioned on any other ransomware gang’s leak site and has a countdown timer of over 300 days. Unit 42 did not identify any associated ransom notes and it’s unclear whether Victim 4 was impacted by Trigona.

The countdown timers of over 300 days for Victims 1, 2 and 4 were well beyond the usual timeframe that we have observed in incident response cases where attackers demand payment, which is between two and four weeks.

Given the following features, the Unit 42 team believes with moderate confidence that the surface web leak page was a development environment to test out features before a possible move to the dark web:

• Several posts appear to be duplicates from the BlackCat leak site (as shown in Figure 4)
• Several of the countdown timers are considerably longer
• The leak site is no longer available on the surface web

Similarities to CryLock Ransomware

Trigona operators share overlap in tactics, techniques and procedures (TTPs) with CryLock ransomware operators, suggesting that ransomware threat actors that once deployed CryLock ransomware might have moved on to deploying Trigona ransomware. The email associated with Trigona ransom notes analyzed by Unit 42 (phandaledr@onionmail[.]org) was mentioned in an online forum discussing CryLock ransomware, as shown below in Figure 5.

Both ransomware families also drop ransom notes in HTML Application format, named how_to_decrypt.hta. There are also similarities in the ransom message, including:

• Their claim that all “documents, databases, backups, and other critical” files and data were encrypted
• AES as their choice of cryptographic algorithm
• Their statement that “the price depends on how soon you will contact us”

Tools and Techniques

Unit 42 has seen evidence of malicious activity associated with Trigona originating from a compromised Windows 2003 server, followed by the threat operators executing NetScan for internal reconnaissance.

NetScan

Unit 42 analysts recovered the NetScan output and noticed that it contained Cyrillic characters, as shown below in Figure 6. Changing the default language of NetScan to Russian is an option that can be configured upon initial installation.

After conducting reconnaissance, Trigona operators used Splashtop – a remote access and management (RMM) tool – to transfer the following malware into the target’s environment.

Threat actors often abuse, take advantage of or subvert legitimate products for malicious purposes. This does not necessarily imply a flaw or malicious quality to the legitimate product being abused.

Start.bat

Start.bat is a batch script that performs the following activities:

• It creates a new folder at C:\temp
• It copies other malicious batch and EXE files from a compromised internal Server Message Block (SMB) server to the newly created temp folder
• It executes Turnoff.bat

Turnoff.bat

Turnoff.bat is a cleanup script used to remove evidence of the attack on a system. It does so by performing the following activities:

• Clearing the Recycle Bin of any mounted drive
• Attempting to use sc stop and taskkill to stop over 100 services related to various areas ranging from remote desktop tools to Windows Defender
• Attempting to stop services related to VMware, Hyper-V and SQL
• Ending several running tasks related to the stopped services mentioned above
• Clear Windows Event Logs (using wevutil cl)
• Deleting Volume Shadow Copies
• Disconnecting all network drives

Unit 42 researchers have observed that cleanup scripts from other threat actors are usually smaller and more specific to the tools used by that actor. The scattershot variety of services and tasks that turnoff.bat stops could suggest that the tool is attempting to ensure that a wider variety of systems are encrypted.

Newuser.bat

Newuser.bat is a batch script that creates a new user with the name fredla and the password Qw123456. It then adds the fredla user to the local groups Administrator and Remote Desktop Users. Threat actors sometimes create privileged user accounts to keep access to target systems without having to install persistent remote access tools on the system.

DC2.exe

DC2.exe contains a password protected version of Mimikatz, which is a tool used for extracting sensitive information such as passwords and authentication credentials from a Windows operating system.

This version of Mimikatz has been compressed using UPX. While UPX is often legitimately used to reduce file size, we have observed threat actors utilizing UPX and other packing programs to evade static detection of the underlying payload.

The tool is also password protected, which adds an extra layer of complexity when ascertaining the program’s functionality.

When the executable is run, the threat actor is prompted for a password to continue. The MD5 hash of the password is then calculated, and if it is equal to 4dbf44c6b1be736ee92ef90090452fc2, the program will continue running.

The password required to achieve the MD5 hash is boris.

Among its many legitimate uses, Unit 42 researchers have most often observed Mimikatz being leveraged maliciously by threat actors in the following ways:

• Credential Loading
  • Mimikatz loads credentials from various sources such as Windows memory, Local Security Authority Subsystem Service (LSASS) process and the Windows registry.
• Credential Dumping
  • The tool then extracts and dumps the credentials, including usernames and passwords, hashes, and Kerberos tickets to the screen or to a file.
• Credential Manipulation
  • Mimikatz allows the user to manipulate the dumped credentials, such as changing passwords, creating new user accounts and adding users to groups.
• Credential Injection
  • The tool can also inject the manipulated credentials into other processes, allowing the user to impersonate another user and gain access to restricted resources.

DC4.exe

DC4.exe is a small, UPX-packed password protected binary that generates and executes an embedded batch file. Like DC2.exe, the password to allow the binary to run is boris.

Upon execution, the batch file makes the following changes to the system:

1. Disables the User Account Control (UAC) and sets cmd.exe as a debugger for HelpPane.exe, utilman.exe, Magnify.exe and sethc.exe. This is a common method of creating a “Sticky Keys backdoor” that allows for the creation of a command prompt with NT AUTHORITY\SYSTEM privileges.
2. Opens specific ports on the firewall to allow remote desktop connections using the netsh command.
3. Modifies the Windows registry to allow remote desktop connections.
4. Creates a new user account with the username sys and password Mm1518061+-, and adds this user to the Administrator and Remote Desktop Users groups.

DC6.exe

DC6.exe is an installer for the publicly available tool Advanced Port Scanner, wrapped up in an Inno Setup installer package. Inno Setup is a free software installer for Windows programs. Advanced Port Scanner is a tool that is commonly abused by threat actors for network scanning and mapping, for lateral movement and discovery purposes.

Wrapping Advanced Port Scanner in Inno Setup adds an additional layer of obfuscation to the code, and it is likely to evade static signature detection, forcing dynamic analysis to determine functionality rather than relying on traditional static code signatures.

TTPs

Conclusion

Trigona is a newer strain of ransomware that, to date, has had minimal coverage by security news articles. This lack of security community awareness allows Trigona to discreetly attack victims while other higher-profile ransomware operations dominate the news headlines. We hope that shining a light on Trigona and its uncommon technique of using password-protected executables to obfuscate malware helps defenders better protect their organizations against this threat.

Due to the stream of victims identified by the Unit 42 team and Trigona’s currently developing leak site, the operator and/or affiliates behind the ransomware likely will continue (and possibly even ramp up) its malicious activity.

Palo Alto Networks customers receive protections from Trigona threats through the following products:

• WildFire currently lists all known binaries of Trigona as malicious, which will trigger alerting within Prisma Cloud and Cortex XDR.
• Prisma Cloud will detect any instance of this malware being executed through properly configured Defender agents using Wildfire.
  • Additionally, Prisma Cloud Defender agents can be installed on Windows 2016 and 2019 servers, as well as on Windows Docker Container hosts.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America Toll-Free: 866.486.4842 (866.4.UNIT42)
• EMEA: +31.20.299.3130
• APAC: +65.6983.8730
• Japan: +81.50.1790.0200

Palo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

Additional Resources

• Trigona ransomware spotted in increasing attacks worldwide - BleepingComputer
• Ransomware Roundup - Trigona Ransomware - Fortinet

Product Protection Guide

Table 1. Product Protection Guide.

Updated March 16, 2023, at 10:13 a.m. PT.