Researchers Identify Developer of ‘Golden Chickens’ Malware Suite

Esentire security researchers claim to have identified the developer of Golden Chickens, a malware suite used by the financially-motivated Cobalt Group, Evilnum, and FIN6 cybercrime groups.

Offered under the malware-as-a-service (MaaS) model since 2018, Golden Chickens is referred to as the ‘cyber weapon of choice’ for the three hacking groups, which have caused estimated financial losses of more than $1.5 billion.

Esentire’s investigation into the Golden Chickens malware (which is operated by a threat actor tracked as Venom Spider), uncovered a connection with the username ‘Badbullzvenom’, and an individual who is referred to as ‘Frapstar’ and ‘Chuck from Montreal’.

Apparently from Moldova, Badbullzvenom speaks Romanian, French, and English, and claims to be working with Cobalt Gang. Chuck, on the other hand, appears to live in Canada, speaks French, and is interested in buying stolen Canadian credit card accounts.

Both Badbullzvenom and Chuck (who uses multiple aliases on forums, social media, and communication platforms) have gone to great lengths to hide their identities and to keep Golden Chickens off the radar, using obfuscation and only allowing it to be used in targeted attacks.

Despite that, however, Esentire believes it has discovered Chuck’s real name and his home address, while also uncovering information such as the names of his family and friends, his social media accounts, and the fact that he owns a small business and a BMW 5 Series car.

Usernames associated with Chuck include Badbullzvenom, Badbullz, Frapstar, Ksensei21, and E39_Frap* (such as E39_Frapstar). The Badbullzvenom account, Esentire notes, appears to be used both by Chuck and his partner, possibly from Moldova or Romania.

The account can be traced back to 2013, when the individual behind it was a novice cybercriminal, or ‘script kiddie’. By 2016, the individual had accumulated enough expertise to build his first cyber tool, which he sold to two miscreants.

Between 2017 and 2019, he started offering a malicious document builder known as ‘VenomKit’, which he constantly updated with new Office exploits. In 2018 and 2019, Cobalt Group and FIN6 started using the builder in attacks.

Working their way through leaked user databases of hacking forums, the security researchers identified an old Myspace account and a Montreal Racing forum account using the same email address ‘[email protected]’, and a Pinterest account for ‘Dee Inconegro’, which has a board named ‘Bad Bullz’.

The researchers also discovered a Facebook account using the Dee Inconegro name, which shares multiple friends with the account ‘Chuck Larock’, seemingly another account operated by the same threat actor.

Using a comment of one of Chuck Larock’s friends as a starting point, the researchers discovered the individual’s real name and linked it to a small business operated from a residential address in Montreal, and with an email address used for another account on the Montreal Racing forums.

The individual also appears associated with the Montreal 67s, a Haitian street gang.

The Golden Chickens malware suite developed by Chuck and his partner consists of components such as the More_eggs backdoor, the VenomLNK initial access LNK file that executes the TerraLoader loader, the TerraRecon reconnaissance tool, the TerraStealer credential stealer, the TerraTV lateral movement utility, the TerraPreter meterpreter shell, and the TerraCrypt ransomware.

In recent campaigns distributing Golden Chickens, which continues to be actively developed, ecommerce companies have been targeted via employee recruitment processes (including LinkedIn, Indeed, and the recruitment page on the victim’s own website).

Related: New Infostealer Malware ‘Erbium’ Offered as MaaS for Thousands of Dollars

Related: North Korean Hackers Use Fake Job Offers to Deliver New macOS Malware

Related: New ‘Bumblebee’ Malware Loader Used by Several Cybercrime Groups