The Trigona threat actor continues to target MS-SQL servers through brute-force and dictionary attacks, exploiting weak credentials. They use CLR Shell for additional payloads and employ various tools like BCP, Curl, Bitsadmin, and PowerShell to install malware. The attackers utilize remote control tools such as AnyDesk, RDP, and possibly Teramind. New scanner malware written in Rust targets RDP and MS-SQL services. The threat actor also uses tools like SpeedTest and a custom StressTester. Various privilege escalation and file manipulation tools are employed. To protect against these attacks, administrators should use complex passwords, regularly update security software, and implement firewalls to control access to database servers. Author: AlienVault
Related Tags:
T1078.003
T1136.001
T1588.002
T1087.001
T1070.004
T1021.002
MIMIC
trigona
T1543.003
Associated Indicators:
0CC363668C85F3AB916795839B94C328F612CEFA820CE9EE7DA18B9AC19389FE
CDFBD285104F3B1F2D79F01643DF734920129C7E4AF6ED7E0CD7B845558EE218
FAB4C587E52CF2DDEB1AC999DCA45A24B6A49098
91B82D74D58A52D73A1B1FA1898462BB69F9622B
C941EBE1BEF2DBA55AA74B9D2AC4BDAB94182223
4AF4C15092110057CB0A97DF626C4EF4
44BCA3E7DA4C28BE4F55AF0370091931
60B30E194972F937B859D0075BE69E2A
4D627C63FDD8442EAF7D9BE7E50D1E46