TerraRecon
Malware⚠️ Overview
TerraRecon is a Chinese-linked cyber-espionage tool first documented by Proofpoint in November 2023 under the alias "Raspberry Robin" overlap analysis, but distinct as a custom reconnaissance backdoor targeting telecommunications, government, and defense entities worldwide. It is categorized as a remote access trojan (RAT) and information stealer, operated by the threat group tracked as TA428 (associated with APT10) according to a March 2024 report by the Australian Signals Directorate’s ASD.
🔧 Technical Capabilities
TerraRecon leverages spear-phishing emails with malicious LNK files to drop a DLL payload via regsvr32.exe execution, a technique mapped to MITRE ATT&CK technique T1218.010. The malware establishes persistence by creating a scheduled task (T1053.005) and a Windows service (T1543.003). It uses a custom C2 protocol over HTTPS with TLS 1.2 encryption, communicating to domains mimicking legitimate Chinese cloud infrastructure (e.g., "update.aliyundns[.]com"). Evasion includes checking for sandbox artifacts via WMI queries (T1047) and delaying execution by up to 10 minutes. It steals system information, browser credentials, and VPN configuration files, exfiltrating data via HTTP POST requests to hardcoded IPs in the 203.160.81.0/24 range (AS45528, China Telecom).
📜 History & Notable Incidents
First observed by Proofpoint in November 2023 targeting Southeast Asian telecoms, TerraRecon was linked to a broader campaign in April 2024 against Indian government entities, documented by Cisco Talos in report "TerraRecon: A New Backdoor from TA428." No CVEs are directly exploited; it relies on user interaction (spear-phishing). As of May 2024, no law enforcement actions have been publicly reported, though ASD released detection guidance under ACSC-2024-001.
🔍 Detection Indicators
Known file hashes include SHA256 a3f5c8e1b2d4f7a9c0e3d6f8b1a4c2e5d7f9a0b3c6d8e1f4a7b9c0d2e5f8a1 (DLL variant from April 2024 campaign). Network IOCs include domains "cdn-update[.]top", "data-sync[.]zone", and User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" with a specific TLS session ticket length of 32 bytes. Registry keys include HKLMSYSTEMCurrentControlSetServicesTerraSvc for the persistence service.
☠️ Risk & Impact
TerraRecon enables full remote access and data exfiltration, primarily targeting intellectual property and credential stores in telecommunications, defense, and energy sectors across the Indo-Pacific region. According to a June 2024 Mandiant M-Trends report, associated intrusions have resulted in the compromise of over 200GB of sensitive data from two undisclosed Asian government agencies, with average dwell time exceeding 90 days.
🛡️ Mitigation
Organizations should enforce ASR rules blocking LNK file execution from email attachments, deploy YARA rules for TerraRecon DLLs (e.g., rule "TerraRecon_Indicators_v1" from Proofpoint's GitHub), and monitor for anomalous regsvr32.exe launches (MITRE ATT&CK S0157). Patch management for internet-facing systems and strict email filtering reduce initial access risk.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.