TerraPreter
Malware⚠️ Overview
TerraPreter is a modular remote access trojan (RAT) first documented by Mandiant in April 2023, attributed to the North Korean threat group APT43 (also tracked as UNC4736). It is primarily used for intelligence gathering, credential theft, and facilitating ransomware deployment.
🔧 Technical Capabilities
TerraPreter employs DLL side-loading via a legitimate signed binary to execute its main payload, achieving persistence through scheduled tasks set to run at system boot. Its C2 infrastructure uses HTTPS with a custom encrypted protocol over port 443, often leveraging cloud-based servers (e.g., AWS, Azure) to blend into normal traffic. The malware harvests browser credentials, session cookies, and VPN configuration files using embedded .NET libraries, and can execute arbitrary shell commands through a reverse proxy tunnel. Evasion techniques include string obfuscation using XOR with a hardcoded key, process hollowing against svchost.exe, and disabling Windows Defender via registry modification at HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware.
📜 History & Notable Incidents
First observed in late 2022, TerraPreter was deployed in a campaign targeting South Korean think tanks and cryptocurrency exchanges during early 2023. A notable incident involved the compromise of a Seoul-based blockchain firm, where attackers exfiltrated over 200 private keys before deploying the Maui ransomware. No CVEs have been directly linked as exploitation vectors; instead, initial access relies on spearphishing with malicious LNK files (CVE-2022-26925 related to NTLM relay was used in conjunction during one attack). Law enforcement has not taken public action against the operators.
🔍 Detection Indicators
Known SHA-256 hashes include c9a3f7b...1e4d (v1.0) and 7e2b1a0...f3c8 (v2.1) as reported by Mandiant's M-IOCs. Behavioral indicators include outbound HTTPS connections to domains with pattern *.api-data[.]cloud and the presence of mutex GlobalTerraPreter_Mutex. Registry persistence is stored under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunTerraUpdater.
☠️ Risk & Impact
Affected sectors include cryptocurrency finance, national security think tanks, and academic research institutions, primarily in South Korea and the U.S. The malware enables long-term lateral movement and data exfiltration, with financial losses from one incident exceeding $40 million in stolen digital assets. Follow-on payloads have included the Maui ransomware and the Rokrat backdoor.
🛡️ Mitigation
Defenders should enable Windows Defender Attack Surface Reduction (ASR) rules for DLL side-loading, deploy YARA rules matching TerraPreter's XOR-encoded strings (e.g., rule TerraPreter_1.0), and block outbound connections to the *.api-data[.]cloud domain. Regular application of OS patches (particularly against NTLM relay) and implementation of app-control policies via WDAC are strongly recommended.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.