[ad_1]
T1190 – Exploit Public-Facing Application
Has been observed to exploit the following Zoho ManageEngine ADSelfService Plus authentication bypass vulnerability:
CVE-2021-40539
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
It adds the following registries for automatic execution upon startup:
• HKEY_CURRENT_USER\
Software\Microsoft\Windows\CurrentVersion\Run
• {Generated ID 1} = {Malware File Path}\{Malware name}.exe
• HKEY_CURRENT_USER\
Software\Microsoft\Windows\CurrentVersion\Run
• {Generated ID 2} = %User Temp%\how_to_decrypt.hta
T1140 – Deobfuscate/Decode Files or Information
The Trigona ransomware sample we investigated decrypts its configuration at the resource section named “cfgs.”
T1218.005 – System Binary Proxy Execution: Mshta
Trigona executes the following command to display the ransom note after encryption:
• %System%\mshta.exe %User Temp%\how_to_decrypt.hta
T1036.005 – Masquerading: Match Legitimate Name or Location
Trigona named some samples as svchost.exe to evade detection.
T1497.003 – Virtualization/Sandbox Evasion: Time-Based Evasion
When executed with the argument /sleep {seconds}, the ransomware can “sleep” or be dormant for a period set by the attacker before executing the ransomware.
T1083 – File and Directory Discovery
Trigona enumerates files in the following drives for encryption:
• Fixed drives
• Removable drives
• Network shares
The ransomware also has a specific list of extensions and folders that it can use to verify which files to avoid encrypting.
T1135 – Network Share Discovery
Trigona uses NetShareEnum to look for network shares and encrypt files within network drives.
T1033 – System Owner/User Discovery
• Trigona obtains the following information:
• Computer name
• System time
• OS version
• Drive information
• Disk data
• Keyboard locale
T1529 – System Shutdown/Reboot
Trigona can turn off the infected machine when executed with the command line /shdwn.
T1486 – Data Encrypted for Impact
Trigona uses TDCP_rijndael to encrypt target files. From its configuration, it will choose which files to avoid encrypting. It avoids encrypting files with the following strings in its file path:
• Windows
• System32
• NETFAST
In the sample we investigated, it avoided encrypting files with the following extensions:
• .exe
• .dll
• .sys
Trigona also avoids files with the following characteristics:
• FILE_ATTRIBUTE_
SYSTEM
It also avoids files with the following file names:
• how_to_decrypt.txt
Trigona then drops the following files as its ransom note:
• %User Temp%\how_to_decrypt.hta
• {Encrypted directory}\ how_to_decrypt.hta
It then renames the encrypted files to the following upon encryption:
• available_for_trial.{random}._locked
• {random}._locked
Trigona will only encrypt the first 0x80000 bytes of a file unless executed with the command line /full.
T1485 – Data Destruction
Trigona can delete the first 0x80000 bytes of a file when executed with the command line /erase.
[ad_2]