GOLD BEGONIA
Aliases
Tools
SUMMARY
GOLD BEGONIA is financially motivated cybercriminal threat group that operates and distributes the Trigona ransomware. GOLD BEGONIA has been active since October 2022 and introduced a Linux version of Trigona in February 2023 intended to target ESXi hypervisors. After compromising a victim, GOLD BEGONIA exfiltrates data for later possible publication on their leak site hosted on the Tor network. In addition to leaving ransom notes on infected machines the threat actors may also email employees of the victim organization notifying them an attack has occurred.
In October 2023, a vigilante security researcher compromised GOLD BEGONIA's infrastructure used to operate Trigona eventually forcing them to abandon their operation on October 18. GOLD BEGONIA reconstituted the Trigona operation in November 2023 and began publishing new victims in January 2024. The last victim was posted to their leak site in late March 2024 and the last of their infrastructure went offline in May 2024.
For initial access, GOLD BEGONIA has been observed using brute force attacks against publicly facing RDP servers and Microsoft SQL Server instances. Arete observed the exploitation of CVE-2021-40539 against Zoho ManageEngine instances in late 2022. In addition to RDP, numerous remote access tools such as AteraAgent, Splashtop, LogMeIn, AnyDesk, and TeamViewer may be used during intrusions.
Internal reconnaissance of compromised networks is performed using SoftPerfect Network Scanner (netscan.exe) and Advanced Port Scanner. Credential theft is accomplished using Mimikatz and dumping NTDS.dit through ntdsutil.exe. GOLD BEGONIA maintains persistent access to compromised networks by creating new user(s) that can be accessed using established remote access tooling or through the use of Cobalt Strike.
GOLD BEGONIA uses the Everything and DirLister utilities to gather a list of files for exfiltration via FileZilla. Finally, Trigona ransomware is deployed through PsExec or manual execution. Trigona creates a persistence mechanism through the infected user's HKCU Run key ensuring it executes anytime the user logs in.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.