Home Malware Programs Malware TerraRecon


Posted: August 11, 2020

Not all cybercriminals engage in sophisticated attacks against organizations and users worldwide. Some of them prefer to keep a low profile by developing malware and then renting it out to cybercrime organizations who are willing to use it – this is the exact strategy that a team of malware developers, known as Golden Chickens, have adopted. They own an impressive arsenal of hacking tools that other cybercriminals can rent and use in their attacks. This Malware-as-a-Service (MaaS) scheme has proven to be very profitable, and Golden Chickens' tools were used between 2016 and 2018 widely.

One of the most sought after tools offered by the Golden Chickens MaaS provider is TerraRecon, a reconnaissance tool designed to look for specific hardware and software on the compromised system. Usually, this tool was used to search for vulnerable targets in the financial sector. If the infected system used specific hardware and software, the cybercriminals behind the attack would be able to exploit vulnerabilities in its design.

TerraRecon Fetches Hardware & Software Information about the Compromised System

By analyzing samples of the TerraRecon malware, cybersecurity experts were able to determine that this malware might have been active since 2013 despite its peaked activity between 2016 and 2018. The TerraRecon serves a very specific purpose. It is likely to be used in attacks against specific targets only – its use is being attributed to a high-profile cybercrime group that specializes in financially-motivated attacks.

The TerraRecon implant features interesting kill-switch mechanisms, as well as a fairly straightforward algorithm to check for specific hardware and software. As soon as the malware is active, it will grab the compromised system's computer name and user name, and then try to send them to the remote control server. After this, it begins to run through a list of hardware and software that the crooks are interested in exploiting – if a match is found, the implant will communicate with the control server. If no matches are found, the TerraRecon implant will not ping the remote server. In both scenarios, it will run a pre-made BAT file designed to erase its components after its task is completed.

The recovered versions of TerraRecon appeared to focus on hardware and software used by Western Union Software, Wacom-made signing pads and Yubico's YubiKeys services.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to TerraRecon may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.