Pierluigi Paganini April 20, 2023

Threat actors are hacking poorly secured and Interned-exposed Microsoft SQL servers to deploy the Trigona ransomware.

Threat actors are hacking into poorly secured and public-facing Microsoft SQL servers to deploy Trigona ransomware.

Trigona is a malware strain that was discovered in October 2022, and Palo Alto Unit 42 researchers reported similarities between Trigona and the CryLock ransomware.

Trigona is written in Delphi language, it encrypts files without distinguishing their extensions and appends the “._locked” extension to the filename of encrypted files.

The attackers launch brute-force or dictionary attacks against the server in an attempt to guess account credentials.

Once gained access to the server, the threat actors deploy malware that is tracked by cybersecurity firm AhnLab as CLR Shell.

CLR Shell allows operators to harvest system information and escalate privileges to LocalSystem by exploiting a vulnerability in the Windows Secondary Logon Service.

“In addition, this CLR Shell malware is confirmed to have a routine that exploits privilege escalation vulnerabilities, which is believed to be due to the high privileges required by Trigona as it operates as a service.” reads the report published by AhnLab. “CLR Shell is a type of CLR assembly malware that receives commands from threat actors and performs malicious behaviors, similarly to the WebShells of web servers.”

The analysis of the log from AhnLab’s ASD shows the MS-SQL process sqlservr.exe installing Trigona under the name svcservice.exe.

When svcservice.exe is executed as a service, it executes the Trigona ransomware and also creates and executes svchost.bat used to execute the ransomware. The svchost.bat registers the Trigona binary to the Run key to maintain persistence.

The svchost.bat also deletes volume shadow copies and disables the system recovery feature to prevent victims from recovering the encrypted files.

The ransomware creates ransom notes named “how_to_decrypt.hta” in each folder, the note includes instructions to contact the Trigona operators. The ransom note contains a link to the Trigona Tor negotiation website, and a link containing the key to log into the negotiation site.

“Admins must also use passwords that cannot be easily guessed and change them periodically to protect the database servers from brute force and dictionary attacks.” concludes the report. “V3 should be updated to the latest version so that malware infection can be prevented. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access by external threat actors. If the above measures are not taken in advance, continuous infections by threat actors and malware can occur.”

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft SQL, Trigona ransomware)