Query Details

Golden Chickens Terra Stealer V2 Malware Detection

Query

// https://www.recordedfuture.com/research/terrastealerv2-and-terralogger

// 🤣 Golden Chickens 🤣 
// TerraStealerV2 Malware Detection
//
let QueryPeriod = 1d;
let MonitorExtension = dynamic([".lnk", ".exe", ".dll", ".msi"]);
let EPwithLowFP =
DeviceFileEvents
| where Timestamp > ago(QueryPeriod)
| where ActionType == @"FileCreated"
| where FileName has_any (MonitorExtension)
| invoke FileProfile("SHA1", 500) 
| where GlobalPrevalence < 5
| distinct DeviceName;
DeviceNetworkEvents
| where Timestamp > ago(QueryPeriod)
| where ActionType == "ConnectionSuccess" and RemoteUrl == "wetransfers.io"
| where DeviceName has_any (EPwithLowFP)

Explanation

This KQL (Kusto Query Language) query is designed to detect potential malware activity related to the TerraStealerV2 malware, which is associated with the "Golden Chickens" group. Here's a simple breakdown of what the query does:

  1. Define the Time Period: The query looks at events that occurred within the last day (1d).

  2. Monitor Specific File Extensions: It focuses on files with certain extensions that are commonly associated with executables or installers, such as .lnk, .exe, .dll, and .msi.

  3. Identify Low Prevalence Files:

    • It examines file creation events (FileCreated) on devices.
    • It filters these events to include only those files with the specified extensions.
    • It uses a function (FileProfile) to check the SHA1 hash of these files and filters out those with a global prevalence of less than 5, indicating they are rare and potentially suspicious.
    • It collects a list of device names where these rare files were created.
  4. Monitor Network Connections:

    • It looks at network connection events (ConnectionSuccess) within the same time frame.
    • It specifically checks for connections to the URL "wetransfers.io", which might be associated with malicious activity.
    • It further filters these events to include only those from devices identified in the previous step (devices with low-prevalence files).

In summary, the query is designed to identify devices that have created rare and potentially suspicious files and then checks if those devices have made network connections to a specific URL that could be linked to malicious activity.

Details

Steven Lim profile picture

Steven Lim

Released: May 6, 2025

Tables

DeviceFileEventsDeviceNetworkEvents

Keywords

DeviceFileEventsNetworkTimestampActionTypeNameProfileGlobalPrevalenceRemoteUrl

Operators

letdynamicagohas_anyinvokedistinct

Actions

GitHub