By GoldSparrow in Malware

TerraWiper is a wiper malware attributed to the Golden Chickens cybercriminal group. Golden Chickens (GK) offers an expanded portfolio of highly-specialized malware tools to other mid to high tier threat actors as Malware-as-a-Service (MaaS). TerraWiper, in particular, attempts to render the targeted computer unbootable by tampering with its Master Boot Record (MRB).

Some of the factors that led the experts at QuoIntelligence to connect TerraWiper to Golden Chickens are that it is written in PureBasic, contains the same bug in its string obfuscation as other GK malware tools, XOR string obfuscation and others. The goal of TerraWiper is to execute itself with elevated privileges, enabling it to open the physical drive and write nothing but zeroes over it. To do so, TerraWiper employs a technique to bypass the User Access Control by writing its executable into the Software\Classes\mscfile\shell\open\command Registry and the using %SYSTEMROOT%\System32\eventvwr.exe to launch it.

Due to its limited scope and functionality, victims of TerraWiper could undo the damage easily by fixing the affected MRB, which will allow the computer to become bootable once again.

Keeping an eye on the behavior and arsenal of malware attack tools such as Golden Chickens could help companies prepare their own cyber defense techniques and protocols.


Most Viewed