好的,我现在需要帮用户总结这篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”之类的开头。首先,我得通读一下文章,抓住主要信息。 文章讲的是Trigona勒索软件开始使用一个自定义的命令行工具来窃取数据和逃避检测。之前他们用的是Rclone和MegaSync这样的常用工具,但现在改用了自定义工具uploader_client.exe。这个工具能更快地传输数据,并且通过多线程连接和旋转连接来避免被检测到。 Symantec的研究人员指出,这种变化让攻击者有了更多的控制权,并且不容易被安全系统发现。此外,这个工具还能过滤掉大而低价值的文件,专注于窃取敏感数据。攻击者在使用这个工具前还会禁用安全软件,并利用各种工具远程访问系统,窃取凭证。 总结一下,Trigona采用了自定义工具提高效率和隐蔽性,显示出勒索软件在技术上的进步和对隐私的重视。所以,在100字以内,我需要涵盖这些关键点:Trigona改用自定义工具、提升速度、逃避检测、专注于敏感数据、禁用安全软件等。 现在把这些信息浓缩成一句话:Trigona勒索软件采用自定义工具窃取数据并逃避检测,替代Rclone等常用工具;该工具支持多线程传输和连接旋转,专注于敏感文件;攻击者禁用安全软件并远程访问系统。 </think> Trigona勒索软件采用自定义工具窃取数据并逃避检测,替代Rclone等常用工具;该工具支持多线程传输和连接旋转,专注于敏感文件;攻击者禁用安全软件并远程访问系统。 2026-4-26 09:37:30 Author: securityaffairs.com(查看原文) 阅读量:21 收藏
Trigona ransomware adopts custom tool to steal data and evade detection
Trigona ransomware now uses a custom command-line tool to steal data faster and evade detection, replacing tools like Rclone and MegaSync.
Symantec researchers report that recent Trigona ransomware attacks used a custom-built data exfiltration tool instead of common utilities like Rclone or MegaSync. This shift, seen in March 2026 incidents, gives attackers more control and helps them evade detection, as standard tools are often flagged by security systems. Researchers believe this move shows a growing investment in proprietary malware to stay stealthy.
“The attacks, which occurred in March 2026, mark a significant shift in tactics for Trigona affiliates. The motivation for moving away from publicly available tools remains unknown.” reads the report published by Symantec. “Many publicly available tools are now so well known that they may be flagged by security solutions.”
Trigona, active since late 2022, operates as a Ransomware-as-a-Service linked to the Rhantus cybercrime group.
Trigona attackers use a custom tool, uploader_client.exe, to steal data efficiently. It connects to an attacker-controlled server and appears privately developed. The tool speeds up exfiltration with multiple parallel connections and rotates connections to avoid detection.
“The tool defaults to five parallel connections per file, allowing for rapid data transfer that can saturate available bandwidth.” continues the report. “It can rotate the TCP connection after a specific volume of data (defaulting to 2,048 MB) has been sent. This technique is likely intended to evade network traffic monitoring that triggers on long-lived, high-volume connections to a single IP address.”
It can filter out large, low-value files and focus on sensitive data like documents. It also uses an authentication key to secure access to stolen data. In one case, it targeted invoices and high-value PDFs on network drives.
Before deploying the custom uploader, attackers disable security tools using multiple utilities, including HRSword, PCHunter, and GMER, often abusing vulnerable kernel drivers to kill protections. PowerRun helps execute them with elevated privileges. They access systems remotely via AnyDesk and steal credentials using tools like Mimikatz and Nirsoft password recovery utilities, targeting apps and browsers.
“The use of custom tooling in the ransomware landscape is a double-edged sword for attackers.” concludes the report. “While it requires development resources and time, these tools can provide a level of stealth that generic tools cannot match, at least until they’re discovered”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Trigona ransomware)
如有侵权请联系:admin#unsafe.sh