Cybersecurity firm eSentire says it has identified the second developer of Golden Chickens, a malware suite used by financially-motivated cybercrime groups Cobalt Group and FIN6.
Offered under a malware-as-a-service (MaaS) model since 2018, Golden Chickens has been used by the Russia-based Cobalt Group and FIN6 cybercrime rings to target organizations in various industries, causing financial losses or more than $1.4 billion.
Golden Chickens has been primarily used to steal banking information and credit card data, targeting the online payment systems of organizations in the accounting, aviation, insurance, legal, energy, and food industries.
Following an August 2022 report detailing the whereabouts of ‘Chuck from Montreal’, one of the threat actors behind the Golden Chickens MaaS, eSentire now claims to have discovered the identity of ‘Jack’, the second developer of the malware. The Golden Chickens operator is tracked as Venom Spider.
According to the security firm, the true mastermind behind Golden Chickens is, in fact, Jack, who has been active on cybercrime forums since 2008, when he was 15, and who built a reputation for himself under multiple aliases.
Over time, Jack built a reputation among cybercriminals as a ripper and scammer. In July 2022, a threat actor announced a $200,000 bounty for information leading to Jack’s identity, accusing him of stealing $1 million.
Between 2007 and 2008, when he was using the username ‘Lucky’ along with two similar aliases, Jack released a malware tool dubbed ‘Voyer’, designed to steal a victim’s Yahoo instant messages.
Between 2008 and 2009, he released ‘FlyCatcher’, which could log keystrokes, logout the user, restart or shut down the computer, and display messages to the victim in popup windows.
A year later, he released a new password stealer named ‘Con’, which could extract credentials from various browsers, messages and credentials from instant messengers, and credentials for VPN and FTP applications.
In late 2009, he released ‘Ghost’, a crypter to encrypt and obfuscate malware to evade detection. A year later, he ceased development of the tool, after suffering the loss of his father.
In 2012, his reputation as a ripper/scammer started to build up, with threat actors complaining about him ignoring client requests and causing them to lose money, mainly because he was always partying.
Around the same time, Lucky suggested in a forum post that he was considering moving from Romania to Pakistan, but it is unclear if he did so.
Coincidentally, security researchers have identified similarities between the tactics used by the advanced persistent threat (APT) actor SideCopy – which has ties to the Transparent Tribe APT – and those used by Lucky’s VenomLNK malware, an initial access vector for the More_eggs backdoor (part of Golden Chickens).
According to eSentire, Lucky met ‘Chuck from Montreal’ on an underground forum sometime between late 2012 and October 2013, and made a deal to both use the ‘badbullz’ and ‘badbullzvenom’ aliases on various forums. This allowed Lucky to circumvent the fact that, on some forums, his account was flagged as ‘ripper’.
In 2015, Lucky released a kit for building macros called ‘Multiplier’, which appears to be the predecessor of VenomKit, but continued to show interest in crypters and banking trojans.
In 2017, he released VenomKit, a kit for building malicious Microsoft Word documents, but continued to develop malware to work along with the kit. Finally, these tools evolved into the all-in-one suite of malware called Golden Chickens, which caught the attention of established cybercrime groups.
“Security experts assert that in 2017 the Cobalt Group used badbullzvenom’s (aka: Lucky) VenomKit to deploy Cobalt Strike in attacks on banks – and then they used it again in 2018,” eSentire notes.
FIN6, another financial crime group from Russia, started using Golden Chickens in 2019. During the same year, the PureLocker ransomware plugin was observed as a new component of Golden Chickens.
eSentire’s analysis of 15 years of underground forum activity has allowed the company to uncover the identity of the individual behind the Lucky account, who self-identifies as ‘Jack’, and who was also operating the badbullz and badbullzvenom accounts at times.
The cybersecurity firm says it also found the identities of his wife, mother, and two sisters, and uncovered Jack’s social media accounts, where he posted pictures of his visits to London, Paris, Milan, and other cities around the world. The photos show him and his wife wearing designer clothing and accessories.
Born in the small city of Mizil and now living in Bucharest, Jack is listed as the owner of a legitimate vegetable and fruit import and export business.
Related: New Infostealer Malware ‘Erbium’ Offered as MaaS for Thousands of Dollars
Related: Cyber Insights 2023 | Criminal Gangs