{ "id": "a940400a-c91c-4787-a772-df07b2df9229", "created_at": "2026-04-06T00:10:56.972983Z", "updated_at": "2026-04-10T03:33:53.630742Z", "deleted_at": null, "sha1_hash": "056e396f221f59e322bd6aa96b11b4292d787312", "title": "The Chicken Keeps Laying New Eggs: Uncovering New GC MaaS Tools Used By Top-tier Threat Actors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 142709, "plain_text": "The Chicken Keeps Laying New Eggs: Uncovering New GC MaaS\r\nTools Used By Top-tier Threat Actors\r\nBy Allison Ebel\r\nPublished: 2020-01-27 · Archived: 2026-04-05 18:52:25 UTC\r\nDuring the code analysis of TerraRecon, it was evident that the standalone executable file shares a significant\r\namount of code with TerraLoader, including string obfuscation, key brute-forcing, runtime function resolution,\r\nand a kill-switch feature. We assess with high confidence that the same person, either the MaaS operator or a\r\nseparate malware author, coded both TerraRecon and TerraLoader. As we have previously noted, the MaaS\r\noperator’s business model also relies on ad-hoc development request, so the custom development of TerraRecon\r\nseems to be a reasonable request.\r\nDue to TerraRecon’s focused reconnaissance, we assess with high confidence that the tool was developed for a\r\nspecific customer, or limited group, having the financial capability to pay for its development. This conclusion\r\nlikely indicates the request originates from a mid to top tier e-crime operator. By corroborating the scope of the\r\ntool, its objectives, its C2 infrastructure, and the sightings timelines, we attributed the exclusive use of TerraRecon\r\nto FIN6 with high confidence.\r\nTerraRecon gathers system information, checks for file paths, and Active X controls related to very specific\r\nsoftware and hardware.\r\nTerraRecon v3 first brute-forces the string XOR encryption key and checks if the current year is 2018, and if not,\r\nit stops. By design, the variant includes a kill-switch functionality indicating that the malware will only operate\r\nduring the specified year. The malware also performs an Internet connectivity check, as it attempts to resolve the\r\nhostname ocsp.comodoca.com , which which is the valid Online Certificate Status Protocol (OCSP) URL for\r\nComodo used to check the status of a certificate. To note, none of the analyzed TerraRecon variants bear digital\r\nsignatures. In addition, we did not observe the kill-switch functionality or internet connectivity check in either\r\nTerraRecon v2 or v1.\r\nThe malware will begin the reconnaissance activity on the victim machine by extracting the pc_name and\r\nuser_name of the system. Next, it walks through a checklist of very specific software/hardware of interest, and\r\nwhenever one of the checks is successful, a flag is set to make a callback to the C2. If the flag is not set by the end\r\nof the checklist, the malware will not callback. If the initial callback fails, the malware will only attempt one\r\nadditional time. After reporting the checklist matches, it will delete itself via a BAT file.\r\nAll the analyzed TerraRecon samples make method calls on specific ActiveX controls (COM Object) to determine\r\nif the prerequisites on the checklist exist on the victim machine. Essentially, ActiveX controls are a small piece of\r\nsoftware used by programs to make it available in the browser. TerraRecon establishes its C2 communication via\r\nHTTP GET request and transmits the results of the victim machine check as parameters in the URL. TerraRecon\r\nv3 transmits its results with a long version of the parameters whereas TerraRecon v1 and v2 use a shortened\r\nhttps://quointelligence.eu/2020/01/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors/\r\nPage 1 of 2\n\nversion. Another difference between the variants is that TerraRecon v3 is written in PureBasic, in contrast to\r\nTerraRecon v1 and v2 which are written in Visual Basic.\r\nThe table below lists all main characteristics of TerraTV variants by focusing on the checks they perform on the\r\ntargeted systems.\r\nInterestingly, the file name of the TerraRecon v3 sample that was uploaded to VirusTotal in March 2019 was\r\n‘ETDAniConf.exe’, which imitates the name of a driver used by ELAN (ELAN Microelectronics Corp.) Smart-Pads (multi-finger touch pad) for many PC manufacturers.\r\nFigure 5 — TerraRecon sample’s information from VirusTotal\r\nSource: https://quointelligence.eu/2020/01/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors/\r\nhttps://quointelligence.eu/2020/01/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://quointelligence.eu/2020/01/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors/" ], "report_names": [ "the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434256, "ts_updated_at": 1775792033, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/056e396f221f59e322bd6aa96b11b4292d787312.pdf", "text": "https://archive.orkl.eu/056e396f221f59e322bd6aa96b11b4292d787312.txt", "img": "https://archive.orkl.eu/056e396f221f59e322bd6aa96b11b4292d787312.jpg" } }