TerraStealer

TerraStealer is a piece of malware that was advertised on hacker forums by a seller group known as Golden Chickens – they are believed to be the masterminds behind a large-scale Malware-as-a-Service (MaaS) operation used to supply high-profile cybercriminals with custom-built malware implants. The TerraStealer also is known under the names SONE or StealerOne. The first advertisements for it were published in 2017, and the implant has been involved in several large-scale campaigns since then.

The TerraStealer packs advanced anti-analysis techniques whose purpose is to hide its true purpose from anti-virus products. It also inspects the presence of malware debugging and analysis tools, making it more challenging for automated file scanning services to identify TerraStealer's threatening nature.

A Threatening MaaS TerraStealer Focuses on Web Browsers, Email Clients and FTP Credentials

The threat, as the name suggests, is meant to collect information from the infected computer. TerraStealer can fetch data from:

• Web browsers like Microsoft Edge, Internet Explorer, Google Chrome and Mozilla Firefox.
• Email clients like Microsoft Outlook and Mozilla Thunderbird.
• FTP clients like FileZilla and WinSCP.

Although the functionality of the TerraStealer is rather limited, it is entirely possible that customers of the Golden Chickens MaaS gang can pay to have a separate, enhanced version delivered to them. Artifacts related to TerraStealer's activity were recovered from previously infected systems that were used by point-of-sale devices and online stores.

Cybersecurity experts report that the TerraStealer shared many similarities with the TerraRecon malware when it comes to evading analysis and gaining persistence – however, the primary features and purposes of both implants are entirely different. Despite being a custom-built and advanced threat, the TerraStealer's attack should be easily prevented with the use of an up-to-date anti-malware tool and firewall service.