Full Report
Use of custom malware remains relatively rare in pre-ransomware activity.
Analysis Summary
# Tool/Technique: Trigona Custom Exfiltration Tool (uploader_client.exe)
## Overview
The "uploader_client.exe" is a custom-developed command-line exfiltration utility used by Trigona ransomware affiliates (Rhantus). Unlike common off-the-shelf tools like Rclone, this proprietary malware provides granular control over data theft, allowing attackers to bypass network monitoring and prioritize high-value documents.
## Technical Details
- **Type:** Custom Malware / Exfiltration Tool
- **Platform:** Windows
- **Capabilities:** Parallel data streaming, TCP connection rotation, file extension filtering, and integrated client-server authentication.
- **First Seen:** March 2026
## MITRE ATT&CK Mapping
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
- [T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Non-Application Relay Protocol]
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- [T1068 - Exploitation for Privilege Escalation] (BYOVD techniques)
- **[TA0006 - Credential Access]**
- [T1003 - OS Credential Dumping]
- [T1555 - Credentials from Web Browsers]
## Functionality
### Core Capabilities
- **Parallel Streams:** Defaults to five parallel connections per file to maximize bandwidth saturation and speed up data theft.
- **Granular Filtering:** Includes an `--exclude-ext` flag to skip low-priority file types (e.g., .mp3, .mp4, .avi) and focus on sensitive documents like invoices and PDFs.
- **Command-Line Interface:** Operates as a standalone utility with hardcoded C2 configurations.
### Advanced Features
- **Connection Rotation:** Automatically rotates the TCP connection after transferring a specific threshold of data (default 2,048 MB). This is designed to evade volume-based network traffic triggers.
- **Integrated Authentication:** Uses a shared authentication key to verify the client with the server, ensuring only the attacker can access the stolen data.
- **BYOVD (Bring Your Own Vulnerable Driver):** Used in conjunction with other tools to disable security software at the kernel level.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc` (Uploader Client)
- `6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc` (HRSword)
- `6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b` (Mimikatz)
- **File Names:** `uploader_client.exe`, `wktools.sys`, `ke64.sys`, `Start.bat`
- **Network Indicators:** `163[.]172[.]105[.]82` (Port 1080)
- **Behavioral Indicators:** Successive short-lived, high-volume TCP connections to a single external IP; deployment of kernel drivers to terminate security processes.
## Associated Threat Actors
- **Rhantus** (Trigona Ransomware Operators/Affiliates)
## Detection Methods
- **Signature-based:** Monitor for the SHA256 hashes of the uploader and the listed kernel-level defense impairment tools (PCHunter, GMER).
- **Behavioral detection:** Flag processes attempting to load known vulnerable drivers (BYOVD) or tools that terminate EDR/Antivirus processes. Monitor for command-line arguments involving `--exclude-ext`.
- **Network detection:** Detect anomalies in outbound traffic involving high-bandwidth transfers that reset at specific data intervals (2GB increments).
## Mitigation Strategies
- **Endpoint Hardening:** Implement Driver Blocklists to prevent the loading of known vulnerable drivers used in BYOVD attacks.
- **Privilege Management:** Restrict administrative privileges to prevent the installation of kernel-level tools like HRSword and PCHunter.
- **Network Segmentation:** Monitor and restrict outbound traffic on unusual ports (e.g., Port 1080) to unknown external IP addresses.
## Related Tools/Techniques
- **Rclone / MegaSync:** Public tools typically replaced by this custom uploader.
- **Defense Evasion Tools:** HRSword, PCHunter, GMER, YDark, WKTools, DumpGuard.
- **Credential Recovery:** Mimikatz, Nirsoft utilities (WebBrowserPassView, MailPassView).
- **Remote Access:** AnyDesk.