Ransomware Spotlight: Trigona – Security News | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

[ad_1]

T1190 – Exploit Public-Facing Application
Has been observed to exploit the following Zoho ManageEngine ADSelfService Plus authentication bypass vulnerability:

CVE-2021-40539

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
It adds the following registries for automatic execution upon startup:

• HKEY_CURRENT_USER\
Software\Microsoft\Windows\CurrentVersion\Run
• {Generated ID 1} = {Malware File Path}\{Malware name}.exe
• HKEY_CURRENT_USER\
Software\Microsoft\Windows\CurrentVersion\Run
• {Generated ID 2} = %User Temp%\how_to_decrypt.hta

T1140 – Deobfuscate/Decode Files or Information
The Trigona ransomware sample we investigated decrypts its configuration at the resource section named “cfgs.”

T1218.005 – System Binary Proxy Execution: Mshta
Trigona executes the following command to display the ransom note after encryption:

• %System%\mshta.exe %User Temp%\how_to_decrypt.hta

T1036.005 – Masquerading: Match Legitimate Name or Location
Trigona named some samples as svchost.exe to evade detection.

T1497.003 – Virtualization/Sandbox Evasion: Time-Based Evasion
When executed with the argument /sleep {seconds}, the ransomware can “sleep” or be dormant for a period set by the attacker before executing the ransomware.

T1083 – File and Directory Discovery
Trigona enumerates files in the following drives for encryption:

• Fixed drives
• Removable drives
• Network shares

The ransomware also has a specific list of extensions and folders that it can use to verify which files to avoid encrypting.

T1135 – Network Share Discovery
Trigona uses NetShareEnum to look for network shares and encrypt files within network drives.

T1033 – System Owner/User Discovery
• Trigona obtains the following information:
• Computer name
• System time
• OS version
• Drive information
• Disk data
• Keyboard locale

T1529 – System Shutdown/Reboot
Trigona can turn off the infected machine when executed with the command line /shdwn.

T1486 – Data Encrypted for Impact
Trigona uses TDCP_rijndael to encrypt target files. From its configuration, it will choose which files to avoid encrypting. It avoids encrypting files with the following strings in its file path:

• Windows
• System32
• NETFAST

In the sample we investigated, it avoided encrypting files with the following extensions:

• .exe
• .dll
• .sys

Trigona also avoids files with the following characteristics:

• FILE_ATTRIBUTE_
SYSTEM

It also avoids files with the following file names:

• how_to_decrypt.txt

Trigona then drops the following files as its ransom note:

• %User Temp%\how_to_decrypt.hta
• {Encrypted directory}\ how_to_decrypt.hta

It then renames the encrypted files to the following upon encryption:

• available_for_trial.{random}._locked
• {random}._locked

Trigona will only encrypt the first 0x80000 bytes of a file unless executed with the command line /full.

T1485 – Data Destruction
Trigona can delete the first 0x80000 bytes of a file when executed with the command line /erase.

[ad_2]

——————————————————–


Click Here For The Original Source.

National Cyber Security

FREE
VIEW