The Trigona ransomware menace actor has been noticed partaking in new actions, akin to putting in Mimic malware that targets MS-SQL servers.
MS-SQL servers’ Bulk Copy Program (BCP) characteristic is abused through the malware set up course of. The BCP utility bcp.exe is a command-line device used for importing or exporting giant quantities of exterior knowledge in MS-SQL servers.
The Trigona ransomware continues to be alive, focusing on MS-SQL servers, and has been lively since no less than June 2022. First found in June 2022, mimic ransomware was designed to focus on individuals who spoke English and Russian.
Just lately, the Trigona ransomware menace actor has been infecting poorly maintained MS-SQL servers with the Mimic and Trigona ransomware strains.
Trustifi’s Superior menace safety prevents the widest spectrum of refined assaults earlier than they attain a consumer’s mailbox. Strive Trustifi Free Risk Scan with Refined AI-Powered E mail Safety .
Attackers Hijacking MS-SQL Servers
In trying to find information to encrypt, mimic ransomware is thought to misuse a file search device named Every thing. It’s believed that the menace actor is utilizing the Every thing device to hurry up the goal system’s file encryption.
Moreover, the attacker imitated a number of elements of the Conti ransomware, whose supply code was leaked throughout this system’s improvement.
Based on the AhnLab Safety Intelligence Middle (ASEC) report, nearly the identical exterior construction was employed on this assault, and the Mimic ransomware samples have been discovered within the Development Micro report from January 2023 and the Securonix report from January 2024.
“The folder that’s finally put in not solely comprises Mimic ransomware and the Every thing device but in addition the Defender Management device (DC.exe) for deactivating Home windows Defender and the SDelete device (xdel.exe) of Sysinternals”, ASEC shared with Cyber Safety Information.
The e-mail handle of the menace actor within the ransom observe differs from that in earlier situations of the Mimic ransomware and can also be lacking from different assault situations.
The menace actor would use the data obtained from the next instructions to put in malware strains that have been acceptable for the atmosphere.
To take management of the compromised system, the menace actor put in AnyDesk. It has additionally been found that the attacker additionally tried to attach through RDP to the compromised system and take management of it remotely utilizing a malware pressure designed for port forwarding.
“Though no malware or command log that units the system boot choice to secure mode was discovered, logs of the MS-SQL server course of executing a system restart command was recognized”, researchers mentioned.
Advice
Brute drive and dictionary assaults are widespread methods to focus on MS-SQL servers on programs the place account credentials will not be correctly managed. Directors have to make the most of advanced passwords and replace them often.
Updating V3 to the latest model can also be essential to stop malware an infection beforehand. Directors must also deploy safety instruments like firewalls to stop exterior menace actors from accessing database servers.