TerraTV is one of the newly discovered tools that malware actors added recently to what is known as the Golden Chickens (GC) Malware-as-a-Service (MaaS) scheme. This threatening tool can be described as a custom DLL that cybercriminals employ to hijack legitimate TeamViewer applications.
Top-tier threat actors prefer to use the GS MaaS provider for their tailored attacks and other fraudulent activities, as the tools offered as highly flexible and resilient. Four TerraTV samples have been analyzed so far, and they have all been signed with legit certificated issued by Comodo/Sectigo to fake companies.
TerraTV was identified in 2018, while researchers analyzed certain cyberattacks against e-commerce merchants. The discovered corrupted TeamViewer component matched many of the already known features of MaaS infrastructure, and it appeared in several different variants.
TerraTV is installed on the victim's machine through a TerraLoader, which unpacks a legit TeamViewer client. After being executed, the TeamViewer client uses the "DLL Search Order Hijacking" technique to load the threatening TerraTV DLL. Then, the malware hijacks specific API calls to hide itself, while the users do not realize they are being hacked. As a result, TerraTV steals access credentials, sends them to a hardcoded C2 server, and the hackers gain remote access to the compromised computer through a legit TeamViewer connection.