Recent attacks attributed to the **Trigona** ransomware gang have revealed the use of a custom data exfiltration tool. This utility, observed in attacks dating back to March, suggests a move away from publicly available tools in favor of proprietary solutions. ### Custom Tool Details According to researchers at **Symantec**, the tool, named “uploader_client.exe,” connects to a hardcoded server address and boasts several features designed to enhance performance and evade detection: * Support for five simultaneous connections per file for faster data exfiltration via parallel uploads. * Rotation of TCP connections after 2GB of traffic to evade monitoring. * Option for selective file type exfiltration, excluding large, low-value media files. * Use of an authentication key to restrict access to stolen data by outsiders. This custom tool has been observed exfiltrating high-value documents, including invoices and PDFs, from compromised network drives. ### Trigona's Resurgence First launched in October 2022, **Trigona** operates as a double-extortion ransomware, demanding payments in Monero cryptocurrency. While Ukrainian cyber activists disrupted **Trigona**'s operations in October 2023 by hacking their servers, **Symantec**'s recent findings suggest a resurgence of the group's activities. ### Post-Compromise Activities **Symantec**'s observations indicate that the attackers install the **Huorong Network Security Suite** tool HRSword as a kernel driver service post-compromise. This is followed by deploying tools to disable security products such as PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd. > "Many of these leveraged vulnerable kernel drivers to terminate endpoint protection processes," **Symantec** notes. Utilities like PowerRun are used to launch applications with elevated privileges, bypassing user-mode protections. **AnyDesk** is utilized for direct remote access, while **Mimikatz** and Nirsoft utilities are deployed for credential theft and password recovery. **Symantec** has provided indicators of compromise (IoCs) to aid in the detection and blocking of these attacks.