Insikt Group has uncovered two new malware families—TerraStealerV2 and TerraLogger—linked to the financially motivated threat actor known as Golden Chickens. TerraStealerV2 is designed to collect browser credentials and cryptocurrency wallet data but does not bypass Chrome’s Application Bound Encryption. TerraLogger functions as a standalone keylogger without data exfiltration capabilities, indicating it is still in development. The ongoing evolution of these tools raises concerns for organizations about future credential theft attacks. Affected: organizations, cybersecurity sector
Keypoints :
- Insikt Group identified two new malware families: TerraStealerV2 and TerraLogger, linked to Golden Chickens.
- TerraStealerV2 targets browser credentials, cryptocurrency wallets, and browser extension data.
- TerraLogger operates as a simple keylogger without data exfiltration features.
- Distribution mechanisms for TerraStealerV2 include LNK, MSI, DLL, and EXE files.
- Both malware families are still actively being developed and lack mature stealth capabilities.
MITRE Techniques :
- T1027: Obfuscated Files or Information – TerraStealerV2 utilizes string deobfuscation with an XOR decoding routine to conceal its operations.
- T1213: Data from Information Repositories – TerraStealerV2 extracts data from the Chrome “Login Data” database.
- T1056.1: Keylogging – TerraLogger employs a low-level keyboard hook to log keystrokes into local files.
- T1021.001: Remote Services – Data from the malware is exfiltrated through Telegram and potentially to wetransfers[.]io.
Indicator of Compromise :
- [Domain] wetransfers[.]io
- [URL] https://ifconfig[.]me
- [IOC Type] SHA-256: 9aed0eda60e4e1138be5d6d8d0280343a3cf6b30d39a704b2d00503261adbe2a
- [Email Address] Not applicable, no specific email addresses mentioned.
- [Hash Type] SHA-256: a2f7d83ddbe0aeba5f5113a8adf2011dc1a7393fa4fe123e74a17dbc2a702b13
Full Story: https://www.recordedfuture.com/research/terrastealerv2-and-terralogger
Views: 90