Saturday, May 18, 2024

New Research Uncovers Threat Actor Behind Infamous Golden Chickens Malware-as-a-Service

The identity of the individual behind the Golden Chickens malware-as-a-service has been uncovered by cybersecurity experts. The perpetrator, known online as “badbullzvenom,” has been identified in the real world.

An extensive 16-month investigation by eSentire’s Threat Response Unit revealed that the badbullzvenom account was linked to multiple individuals, as outlined in the unit’s recently published report.

By identifying themselves as “Chuck from Montreal,” the individual known as Frapstar left a digital trail that allowed the cybersecurity firm to piece together its identity.

This includes the following information:-

  • Real name
  • Pictures
  • Home address
  • Names of his parents
  • Siblings
  • Friends
  • Social media accounts
  • His interests

Tools Used by Threat Actors

The Golden Chickens (aka Venom Spider) platform is a MaaS provider that integrates with a number of tools such as the following:-

  • Taurus Builder
  • More_eggs
  • VenomLNK
  • TerraLoader
  • TerraRecon
  • TerraStealer
  • TerraTV
  • TerraPreter
  • TerraCrypt

As per the report, the cyber tools of this threat actor have been utilized by various prominent cybercrime groups, causing a combined estimated loss of $1.5 billion.

Here below we have mentioned the group names that are involved:-

  • Cobalt Group (aka Cobalt Gang)
  • Evilnum
  • FIN6

The connection Between badbullzvenom and Frapstar

In order to connect the different forum accounts associated with the Golden Chickens MaaS, the TRU team conducted a thorough analysis of various security reports through Open Source Intelligence (OSINT). 

They discovered a 2015 Trend Micro report named, “Attack of the Solo Cybercriminals – Frapstar in Canada,” which identified the threat actor as a lone carder, who monetizes stolen credit cards and has multiple aliases and accounts on multiple hacker forums, one of them being badbullzvenom.

Here are some of the key details about the threat actor known as Frapstar:-

  • They have a particular interest in procuring Canadian credit card accounts that have been compromised.
  • They own a BMW 5 Series automobile, and it is an E39 540i model.
  • The usernames they use on various forums are Badbullzvenom, Badbullz, Frapstar, Ksensei21, and E39_Frap* (i.e., E39_Frapstar).

In a change of strategy, the same tactics were used last year to target corporate hiring managers by sending resumes with malware as a way to infect their systems.

The individual known as ‘Chuck,’ who utilizes various aliases for his underground forum, social media, and Jabber accounts, and the threat actor who claims to be from Moldova, have taken significant measures to conceal their true identities.

The developers of Golden Chickens malware have put a great deal of effort into making it evasive to detection by the majority of AV companies, and have restricted the use of the malware to only targeted attacks.

It is believed that Chuck is one of the two individuals who control the badbullzvenom account on the Exploit[.]in the underground forum. The location of the other party is yet to be determined but could be from:-

  • Moldova 
  • Romania


Here below we have mentioned the recommendations offered by the cybersecurity analysts:-

  • Ensure that the endpoints are monitored exhaustively.
  • Be sure to inform employees about common phishing tactics in order to avoid falling victim to them.
  • In order to tackle phishing and suspicious behavior, it is important to have an easy process in place for reporting it.
  • Take advantage of Managed Detection and Response services which will allow you to monitor your security 24 hours a day.

Network Security Checklist – Download Free E-Book


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles