GOLD BEGONIA

GOLD BEGONIA was a financially motivated cybercriminal threat group that operated and distributed the Trigona ransomware. GOLD BEGONIA began operating in October 2022 and introduced a Linux version of Trigona in February 2023 intended to target ESXi hypervisors. After compromising a victim, GOLD BEGONIA exfiltrated data for later possible publication on their leak site hosted on the Tor network. In addition to leaving ransom notes on infected machines, the threat actors also occasionally emailed employees of the victim organization notifying them an attack had occurred.

In October 2023, a vigilante security researcher compromised GOLD BEGONIA's infrastructure used to operate Trigona, eventually forcing them to abandon their operation on October 18. GOLD BEGONIA reconstituted the Trigona operation in November 2023 and began publishing new victims in January 2024. The last victim was posted to their leak site in late March 2024 and the last of their infrastructure went offline in May 2024.

For initial access, GOLD BEGONIA was observed using brute force attacks against publicly facing RDP servers and Microsoft SQL Server instances. Arete observed the exploitation of CVE-2021-40539 against Zoho ManageEngine instances in late 2022. In addition to RDP, numerous remote access tools such as AteraAgent, Splashtop, LogMeIn, AnyDesk, and TeamViewer were used during intrusions.

Internal reconnaissance of compromised networks was performed using SoftPerfect Network Scanner (netscan.exe) and Advanced Port Scanner. Credential theft was accomplished using Mimikatz and dumping NTDS.dit through ntdsutil.exe. GOLD BEGONIA maintained persistent access to compromised networks by creating new users that could be accessed using established remote access tooling or through the use of Cobalt Strike.

GOLD BEGONIA used the Everything and DirLister utilities to gather a list of files for exfiltration via FileZilla. Finally, Trigona ransomware was deployed through PsExec or manual execution. Trigona ransomware creates a persistence mechanism through the infected user's HKCU Run key ensuring it executes anytime the user logs in.