TerraRecon
Not all cybercriminals engage in sophisticated attacks against organizations and users worldwide. Some of them prefer to keep a low profile by developing malware and then renting it out to cybercrime organizations who are willing to use it – this is the exact strategy that a team of malware developers, known as Golden Chickens, have adopted. They own an impressive arsenal of hacking tools that other cybercriminals can rent and use in their attacks. This Malware-as-a-Service (MaaS) scheme has proven to be very profitable, and Golden Chickens' tools were used between 2016 and 2018 widely.
One of the most sought after tools offered by the Golden Chickens MaaS provider is TerraRecon, a reconnaissance tool designed to look for specific hardware and software on the compromised system. Usually, this tool was used to search for vulnerable targets in the financial sector. If the infected system used specific hardware and software, the cybercriminals behind the attack would be able to exploit vulnerabilities in its design.
TerraRecon Fetches Hardware & Software Information about the Compromised System
By analyzing samples of the TerraRecon malware, cybersecurity experts were able to determine that this malware might have been active since 2013 despite its peaked activity between 2016 and 2018. The TerraRecon serves a very specific purpose. It is likely to be used in attacks against specific targets only – its use is being attributed to a high-profile cybercrime group that specializes in financially-motivated attacks.
The TerraRecon implant features interesting kill-switch mechanisms, as well as a fairly straightforward algorithm to check for specific hardware and software. As soon as the malware is active, it will grab the compromised system's computer name and user name, and then try to send them to the remote control server. After this, it begins to run through a list of hardware and software that the crooks are interested in exploiting – if a match is found, the implant will communicate with the control server. If no matches are found, the TerraRecon implant will not ping the remote server. In both scenarios, it will run a pre-made BAT file designed to erase its components after its task is completed.
The recovered versions of TerraRecon appeared to focus on hardware and software used by Western Union Software, Wacom-made signing pads and Yubico's YubiKeys services.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.