TerraStealer is a piece of malware offered as a service by a cybercriminal group known as Golden Chickens. Like many of the tools provided by Golden Chickens, TerraStealer shares multiple similarities with TerraLoader, a multipurpose loader created in PureBasic, but its purpose is completely different. The name by which TerraStealer is being advertised to other hacker groups on Dark Web forums is SONE (Stealer One).
Careful analysis of the underlying code carried out by the analysts at QuoIntelligence revealed that TerraStealer is an information-collecting program that targets a whole range of Web browsers, email clients and file transfer tools. Many mainstream Web browsers can become victims of TerraStealer - Firefox, Google Chrome, Microsoft Edge and Internet Explorer (versions 4–11).
This particular Golden Chickens malware tool has several anti-analysis techniques encoded into its behavior such as checking if its being executed through regsvr32.exe or odbcconf.exe. During its communication with the Command and Control (C&C, C2) server, TerraStealer uses the following strings: </sone_email>, <sone_entry>, <sone_name>, <sone_program>, <sone_protocol>, </sone_program>.
TerraStealer, in conjunction with two other Golden Chickens tools - TerraLoader and more_eggs- has been detected as part of cyber attacks belonging to the group's multiple clients. The most distinguished one is, without a doubt, FIN6, a threat actor that specializes in financial attacks against Point-of-Sale (POS) terminal systems, particularly.