KQL Search

Query Details

HomeAI ToolsDevice Query

Golden Chickens Terra Stealer V2 Malware Detection

Query

// https://www.recordedfuture.com/research/terrastealerv2-and-terralogger

// 🤣 Golden Chickens 🤣 
// TerraStealerV2 Malware Detection
//
let QueryPeriod = 1d;
let MonitorExtension = dynamic([".lnk", ".exe", ".dll", ".msi"]);
let EPwithLowFP =
DeviceFileEvents
| where Timestamp > ago(QueryPeriod)
| where ActionType == @"FileCreated"
| where FileName has_any (MonitorExtension)
| invoke FileProfile("SHA1", 500) 
| where GlobalPrevalence < 5
| distinct DeviceName;
DeviceNetworkEvents
| where Timestamp > ago(QueryPeriod)
| where ActionType == "HttpConnectionInspected"
| where parse_json(AdditionalFields)["uri"] has "wetransfers.io/v.php" and 
parse_json(AdditionalFields)["uri"] has ".ocx"
| where DeviceName has_any (EPwithLowFP)

Explanation

This KQL (Kusto Query Language) query is designed to detect potential malware activity related to the TerraStealerV2 malware, which is associated with the "Golden Chickens" group. Here's a simplified breakdown of what the query does:

  1. Set Query Period: The query looks at data from the past day (1d).

  2. Define File Extensions to Monitor: It focuses on files with specific extensions: .lnk, .exe, .dll, and .msi.

  3. Identify Devices with Low False Positives:

    • It searches for file creation events (FileCreated) on devices within the last day.
    • It filters these events to include only those where the file name has one of the specified extensions.
    • It uses a function (FileProfile) to check the SHA1 hash of these files, limiting the results to files with a global prevalence of less than 5, indicating they are rare and potentially suspicious.
    • It collects a list of distinct device names that meet these criteria.

  4. Detect Suspicious Network Activity:

    • It examines network events where HTTP connections were inspected within the last day.
    • It looks for connections to a specific URL pattern (wetransfers.io/v.php) that also includes the .ocx file extension in the URI.
    • It cross-references these network events with the list of devices identified earlier to find matches.

In summary, this query is designed to detect suspicious file creation and network activity that may indicate the presence of TerraStealerV2 malware on devices, focusing on rare files and specific network patterns.

Details

Steven Lim profile picture

Steven Lim

Released: May 5, 2025

Tables

DeviceFileEventsDeviceNetworkEvents

Keywords

DeviceFileEventsTimestampActionTypeFileNameDeviceNameDeviceNetworkEventsHttpConnectionAdditionalFieldsUri

Operators

letdynamic|where>ago==has_anyinvokedistinctparse_jsonhasand

Actions