Latest Tools Discovered

As we continue to investigate the attack operations instrumented by the GC MaaS, we are able to uncover more offerings from its catalog. A quick snapshot of the latest discovered tools is depicted in the image below.

TerraTV

In 2018, VISA reported attacks attributed to FIN6 that targeted eCommerce merchants. The attacks relied on different GC MaaS malwares and infrastructure, various post exploitation tools, and a malicious signed sample which is noted as a TeamViewer component. As we further evaluated the reporting and analyzed the reported samples, we discovered that such TeamViewer component was matching many features of known Terra* variants, such as the use of PureBasic and the implementation of specific obfuscation routines. Hence, we classified the TeamViewer component as TerraTV, and found multiple variants of it while searching across our sources and repositories.

The use of TerraTV is observed in the following kill-chain:

• A Nullsoft Scriptable Install System (NSIS) installer is deployed on the victim system containing a DLL (TerraLoader) which is executed via regsvr32.exe
• TerraLoader unpacks a legit TeamViewer client (signed by TeamViewer GmbH) matching the platform (x86 / x64) and a signed DLL avicap32.dll (TerraTV). Notably, avicap32.dll is a legit Windows DLL residing in C:\Windows\system32\ containing functions for the Windows API that are required by TeamViewer to stream the user’s desktop over the network
• The TeamViewer client is executed and, by leveraging a technique known as DLL Search Order Hijacking, it loads the malicious avicap32.dll from its own directory before attempting to load the legit one installed in C:\Windows\system32\
• The malicious DLL, TerraTV, hijacks multiple API calls in order to hide its windows and icon in the system tray (so the victim does not realise that TeamViewer is currently running) and intercepts the client’s access credentials
• Stolen access credentials are sent to a hardcoded C2 server
• The attackers can remote access into the compromised computer via legit TeamViewer connection

The table below lists the four TerraTV sample we collected across 2017 and 2018. All the observed TerraTV samples were signed with legitimate certificates issued by Comodo/Sectigo to registered (fake) companies.

TerraRecon

TerraRecon is a reconnaissance tool used in highly targeted attacks that occurred at least between 2016 and 2018. Although we are unaware of the full kill-chain that led to the execution of TerraRecon, it is fair to assume that attackers used it as a second or third stage malware.

TerraRecon’s primary objective is to scan the infected system for the presence of very specific hardware and software used in the retail and money transfer services, like:

• Western Union Software likely used in offices located in Italy
• Western Union and Wacom Signing Pads
• Yubico’s Yubikeys

QuoINT was able to map three different versions of TerraRecon, and — based on the compilation timestamps of the samples analyzed and the timeline when they were likely used — concluded that the malware family potentially existed since at least 2013.

Golden Chicken MaaS Licensing — Kill-switch

After discovering the GC MaaS operator’s implementation of kill-switch functionality — a feature which disallows the execution of a malware sample beyond a hardcoded date, time or year value — in both TerraRecon and TerraLoader variants, we began to question if it was implemented more widespread throughout the MaaS catalog. As a result, we identified that the GC MaaS operator frequently implemented a kill-switch feature largely in at least TerraLoader samples, dated for the years 2018 or 2019. It is very likely the GC MaaS operator implements the kill-switch feature in order to limit the use of the particular malware a threat actor purchases to keep them as a returning customer, in other words, it’s the GC MaaS way to do software licensing.

TerraStealer

First observed in 2017, TerraStealer is a malware advertised in underground as SONE (Stealer One) forums by the GC MaaS operator as SONE. TerraStealer is an information stealer targeting various applications, such as email clients, web browsers, and file transfer utilities.

Based on our code analysis of an earlier SONE payload, the malware is sharing all the obfuscation routines and procedure calls during execution as TerraLoader. However, the purpose of the malware differs from TerraLoader as it focuses on information theft.

The analyzed TerraStealer variants employ anti-analysis techniques in an attempt to complicate analysis, such as checking the process used to execute it (e.g. odbcconf.exe vs regsvr32.exe).

Traffic to the C2 server is sent over HTTPS after it is encrypted internally, however, Figure 6 shows the initial message to the C2 in plaintext from a memory dump obtained during dynamic analysis.

Further, we observed the following strings while analysing C2 communications:

</sone_email>
<sone_name>
<sone_entry>
<sone_program>
</sone_program>
<sone_protocol>
…

From observing the deobfuscated payload strings, we can assess with high confidence that TerraStealer functions as an information stealer. TerraStealer targets a list of web browsers, e-mail clients, and FTP clients, including popular products such as Google Chrome, Firefox, Internet Explorer (versions 4–11), Microsoft Edge, Microsoft Outlook 2000–2016, Thunderbird, FileZilla, and WinSCP.

We have observed multiple GC clients using TerraLoader, more_eggs and TerraStealer tools in conjunction during their attacks. One of those is FIN6, which VISA reported being used during the internal reconnaissance phase of the compromised network to gather information and credentials, targeting eCommerce merchants and point-of-sales (PoS) systems.

VenomLNK

We have observed a Windows Shortcut file dubbed as VenomLNK used in various campaigns involving different infection chains. We hypothesize this is a new variation of a previously highlighted malicious document kit builder known as VenomKit, a building-kit tool that threat actors use to craft malicious Rich Text File (RTF) documents that exploit multiple vulnerabilities. Successful exploitation of those vulnerabilities leads to the delivery of batch and scriptlet files on a system and execution to download the second stage payload from a Web resource.

TerraCrypt

Similar to other GC MaaS tools, the TerraCrypt ransomware is written in PureBasic code and shares key code similarities to TerraLoader. In October 2019, QuoINT became aware of a new ransomware strain we internally track as TerraCrypt. In November 2019, researchers at IBM X-Force and Intezer jointly released a blog post detailing the same ransomware strain, which they dubbed PureLocker.

The main TerraCrypt functionality can be resumed as follow:

• The ransomware processes files on the infected system by excluding from the decryption certain extensions and paths
• For each file to encrypt, it generates a 128bit Initialization Vector (IV) and a 256bit key
• Every file is encrypted with AES using the key and the IV (probably CBC mode)
• It uses an hardcoded RSA key to encrypt the AES key and IV and append that encrypted data to the file (512 bits)

Although not unique, the ransom note instructs the victim to contact the attacker through the anonymous and encrypted Proton email address to decrypt files, with no mention of payment type or amount.

(HTML table)

Figure 8 — Example of the hardcoded ransom note

The same CR1 string which is included in the attacker’s email address in the ransom note, is also the file extension appended to encrypted files on an infected system and stated at the top of the ransom note.

Although the ransom note states, “Your private key will be deleted after 7 days”, the malwares does not generate any network traffic. This observation implies that the ransomware does not provide the attacker any capability to understand when (or if) the attack worked. Which implies two hypotheses:

• The ransomware is deployed through other loaders or backdoors. For instance, if it is dropped by more_eggs, attackers would know when and if the ransomware got installed on the targeted machine since they have already maintained persistence on it
• Attackers have no way to enforce the seven-days policy since the could not be aware when and if the ransom got installed

Due to the tight service level agreement that the GC MaaS operator enforces on his clients (in this case, threat actors using TerraCrypt), we assess the first hypothesis as most likely.

TerraWiper

In October 2018 while hunting for TerraCrypt variants we discovered a wiper malware we dubbed TerraWiper. TerraWiper is a Master Boot Record (MBR) wiper compiled from PureBasic, and it uses a slightly different version of the obfuscator used for TerraLoader variants. TerraWiper samples attempt to render a machine unbootable by zero-ing its MBR. Therefore, it would be possible for an infected computer to easily recover the data, or to make the machine boot again by fixing its MBR.

The attribution of TerraWiper to GC MaaS relies on the following traits discovered while reversing its code:

• Code written in PureBasic.
• Using the same string obfuscation (XOR).
• The XOR key is brute-forced in the beginning.
• The string obfuscation has the same bug (index starting at 1 not 0).
• The calling convention in the compiled binary is different to all the TerraLoader variants we know and other associated GC tools.
• Functions are normally imported and called; usually at least the functions being used in the main functionality are loaded dynamically by name, or in later TerraLoader variants, by hash value.
• The main code structure looks slightly different, potentially due to the other differences.

Based on analysis of the tool, we assess with high confidence that TerraWiper is a tool attributed to the GC MaaS and created or coded by the same author or developer of TerraLoader.

Integrated into the samples is a certain User Access Control (UAC) bypass technique which is described here. Essentially, it involves writing its own executable into the registry under Software\Classes\mscfile\shell\open\command and then launching %SYSTEMROOT%\System32\eventvwr.exe. If the executable runs with elevated privileges, it then overwrites the MBR and tries to reboot the machine.

The code above contains the TerraWiper decompiled function code — it is opening the physical drive and writing 512 bytes zeroes to it, which is effectively overwriting the MBR with zeroes