Monday, December 23, 2024
HomeCyber Security NewsNew Research Uncovers Threat Actor Behind Infamous Golden Chickens Malware-as-a-Service

New Research Uncovers Threat Actor Behind Infamous Golden Chickens Malware-as-a-Service

Published on

SIEM as a Service

The identity of the individual behind the Golden Chickens malware-as-a-service has been uncovered by cybersecurity experts. The perpetrator, known online as “badbullzvenom,” has been identified in the real world.

An extensive 16-month investigation by eSentire’s Threat Response Unit revealed that the badbullzvenom account was linked to multiple individuals, as outlined in the unit’s recently published report.

By identifying themselves as “Chuck from Montreal,” the individual known as Frapstar left a digital trail that allowed the cybersecurity firm to piece together its identity.

- Advertisement - SIEM as a Service

This includes the following information:-

  • Real name
  • Pictures
  • Home address
  • Names of his parents
  • Siblings
  • Friends
  • Social media accounts
  • His interests

Tools Used by Threat Actors

The Golden Chickens (aka Venom Spider) platform is a MaaS provider that integrates with a number of tools such as the following:-

  • Taurus Builder
  • More_eggs
  • VenomLNK
  • TerraLoader
  • TerraRecon
  • TerraStealer
  • TerraTV
  • TerraPreter
  • TerraCrypt

As per the report, the cyber tools of this threat actor have been utilized by various prominent cybercrime groups, causing a combined estimated loss of $1.5 billion.

Here below we have mentioned the group names that are involved:-

  • Cobalt Group (aka Cobalt Gang)
  • Evilnum
  • FIN6

The connection Between badbullzvenom and Frapstar

In order to connect the different forum accounts associated with the Golden Chickens MaaS, the TRU team conducted a thorough analysis of various security reports through Open Source Intelligence (OSINT). 

They discovered a 2015 Trend Micro report named, “Attack of the Solo Cybercriminals – Frapstar in Canada,” which identified the threat actor as a lone carder, who monetizes stolen credit cards and has multiple aliases and accounts on multiple hacker forums, one of them being badbullzvenom.

Here are some of the key details about the threat actor known as Frapstar:-

  • They have a particular interest in procuring Canadian credit card accounts that have been compromised.
  • They own a BMW 5 Series automobile, and it is an E39 540i model.
  • The usernames they use on various forums are Badbullzvenom, Badbullz, Frapstar, Ksensei21, and E39_Frap* (i.e., E39_Frapstar).

In a change of strategy, the same tactics were used last year to target corporate hiring managers by sending resumes with malware as a way to infect their systems.

The individual known as ‘Chuck,’ who utilizes various aliases for his underground forum, social media, and Jabber accounts, and the threat actor who claims to be from Moldova, have taken significant measures to conceal their true identities.

The developers of Golden Chickens malware have put a great deal of effort into making it evasive to detection by the majority of AV companies, and have restricted the use of the malware to only targeted attacks.

It is believed that Chuck is one of the two individuals who control the badbullzvenom account on the Exploit[.]in the underground forum. The location of the other party is yet to be determined but could be from:-

  • Moldova 
  • Romania

Recommendations

Here below we have mentioned the recommendations offered by the cybersecurity analysts:-

  • Ensure that the endpoints are monitored exhaustively.
  • Be sure to inform employees about common phishing tactics in order to avoid falling victim to them.
  • In order to tackle phishing and suspicious behavior, it is important to have an easy process in place for reporting it.
  • Take advantage of Managed Detection and Response services which will allow you to monitor your security 24 hours a day.

Network Security Checklist – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target...

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that...

DigiEver IoT Devices Exploited To Deliver Mirai-based Malware

A new Mirai-based botnet, "Hail Cock Botnet," has been exploiting vulnerable IoT devices, including...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target...

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that...