Trigona Ransomware Affiliates Deploy 'uploader_client.exe' to Bypass Security Detections

Executive Summary

Affiliates of the Trigona ransomware are escalating their operational capabilities by deploying a custom-developed data exfiltration tool. Identified by Symantec researchers, the tool, named uploader_client.exe, is designed to streamline the data theft phase of their double-extortion attacks. This represents a significant tactical evolution for the Ransomware-as-a-Service (RaaS) group, moving away from generic, off-the-shelf tools that are frequently flagged by security products. The custom uploader is built for speed and stealth, incorporating features like parallel connections, connection rotation, and specific file-type filtering to maximize efficiency and minimize the chances of detection.

Threat Overview

The Trigona ransomware operation, attributed to the cybercrime group Rhantus, has been active since late 2022. Like many RaaS operations, its affiliates have historically used common tools like Rclone or MegaSync for data exfiltration. However, as security vendors have improved their detection for these legitimate tools when used maliciously, more advanced threat actors are investing in custom malware.

The uploader_client.exe tool is a prime example of this trend. It is a command-line utility that offers attackers granular control over the data theft process, making their attacks faster and more focused.

Technical Analysis

Analysis of uploader_client.exe reveals several features designed for operational efficiency and evasion:

• Custom Tooling: The primary technique is the use of custom-developed software (T1587.001 - Develop Capabilities: Malware) to replace generic tools. This immediately lowers the detection rate as the tool's signature is unknown to most antivirus and EDR solutions.
• High-Speed Exfiltration: The tool defaults to using five parallel connections per file (T1041 - Exfiltration Over C2 Channel). This multi-threading is designed to saturate the victim's outbound bandwidth, minimizing the time required to steal large volumes of data.
• Evasion via Connection Rotation: A key feature is the ability to rotate TCP connections after a set volume of data (e.g., 2 GB) has been transferred. This is a clever evasion technique (T1071.001 - Application Layer Protocol: Web Protocols) designed to defeat network monitoring systems that alert on long-lived, high-volume data flows. By breaking the exfiltration into multiple smaller connections, the activity may appear more benign.
• Targeted Data Collection: The tool includes an --exclude-ext flag, allowing attackers to ignore low-value, high-volume files like .mp3 or .mp4. This shows a focus on precision, targeting specific document types like PDFs and financial records to maximize the value of the stolen data (T1560.001 - Archive Collected Data: Archive via Utility).
• Authenticated C2: The client uses a hardcoded, shared authentication key to connect to the attacker's C2 server. This prevents security researchers from easily accessing or submitting junk data to the attacker's repository.

Impact Assessment

The use of custom tooling by a RaaS affiliate signifies a maturation of the threat. It lowers the barrier for less-skilled affiliates to conduct effective, stealthy attacks and makes detection harder for defenders. Organizations can no longer rely solely on blocking known exfiltration tools; they must now be able to detect the anomalous behavior associated with data theft, regardless of the tool being used. This development increases the likelihood of successful data breaches preceding ransomware deployment, putting more pressure on victims to pay the ransom.

IOCs — Directly from Articles

Cyber Observables — Hunting Hints

Security teams should hunt for behavioral indicators of data exfiltration:

Detection & Response

• Behavioral-Based EDR: Deploy EDR solutions that focus on behavioral detection rather than static signatures. An EDR should be able to flag a new, unsigned process that begins reading large numbers of files and making outbound network connections as suspicious.
• Network Traffic Analysis: Use Network Detection and Response (NDR) tools to baseline normal network traffic. Alerts should be configured for significant deviations, such as a client endpoint suddenly uploading terabytes of data. This aligns with D3FEND's Network Traffic Analysis (D3-NTA).
• File Auditing: Enable file access auditing on critical file servers. A sudden spike in read access events across a large number of files from a single user account can be an early indicator of data staging for exfiltration. D3FEND's System File Analysis (D3-SFA) is relevant here.

Mitigation

• Egress Filtering: Strictly control and monitor outbound network traffic. Default to denying outbound connections from client endpoints on all but essential ports (e.g., 80/443). This makes it harder for custom tools to connect to non-standard C2 servers.
• Application Whitelisting: In mature security environments, use application control (whitelisting) to prevent any unauthorized executables like uploader_client.exe from running. This is a core component of D3FEND's Executable Allowlisting (D3-EAL).
• Data Loss Prevention (DLP): Deploy DLP solutions that can identify and block the exfiltration of sensitive data, regardless of the application or protocol being used.
• Limit Workstation-to-Workstation Communication: Configure host-based firewalls to prevent client devices from communicating with each other. This can disrupt an attacker's ability to use a compromised workstation to access data on network shares.