In recent years some threat actor groups decided to shift their focus from carrying out attacks directly to instead providing malware tools to the other threat actors. This business model was dubbed Malware-as-a-Service (MaaS), and some cybercriminal gangs have managed to establish a reputation for them. One such group was discovered by the cybersecurity team at QuoIntelligence, who named the threat actor Golden Chickens.
Golden Chickens have created an expanded catalog of sophisticated malware instruments geared towards mid to top-tier cybercriminal groups. Each malware that is offered as a service is designed to fulfill a specific purpose according to the Tactics, Techniques and Procedures (TTP) of the specific client. Since the operations of Golden Chickens were first uncovered, the group has managed to expand its line of malware products with several new tools - TerraRecon, TerraWiper, TerraTV, TerraStealer, TerraCrypt, VenomLNK and others.
TerraRecon, as its name suggests, is a piece of malware created to carry out reconnaissance tasks and was part of highly targeted attacks that took place between 2016 and 2018. After successful system infiltration, TerraRecon performs a series of checks for the presence of a very specific range of hardware and software used in the retail, and money transfer sectors such as Western Union Software and Signing Pads, Wacom Signing Pads and Yubiko's Yubikeys. Three different versions of TerraRecon have been detected, with the biggest distinction between them being the introduction of a kill switch in the v3 of the malware. The highly specific nature of the tool and numerous other factors point toward the fact that TerraRecon was created for a particular threat actor, most likely. The group that fits the description best is FIN6.
In terms of its actual structure, TerraRecon shares a lot of similarities with Golden Chickens' TerraLoader, such as code obfuscation and runtime function resolution. To complete its information gathering task, TerraRecon is capable of looking up system data, checking certain file paths and leveraging Active X controls. The 3rd version of the malware is written in PureBasic, unlike the previous two versions, which were coded in VisualBasic and has a kill-switch function that looks up the year on the infected system and if it's not 2018, it stops its execution. More than likely, Golden Chickens resorted to this method as insurance that its clients will not be able to use their malware tools indefinitely. After completing its task, TerraRecon deletes itself through a BAT file.